maxjhandsome
/
llvm-project
forked from OSchip/llvm-project
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity
llvm-project/clang/lib/Analysis/MemRegion.cpp

747 lines
23 KiB
C++
Raw Normal View History

This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
//== MemRegion.cpp - Abstract memory regions for static analysis --*- C++ -*--//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// This file defines MemRegion and its subclasses. MemRegion defines a
// partially-typed abstraction of memory useful for path-sensitive dataflow
// analyses.
//
//===----------------------------------------------------------------------===//
#include "llvm/Support/raw_ostream.h"
#include "clang/Analysis/PathSensitive/MemRegion.h"
This is a fairly large patch, which resulted from a cascade of changes made to RegionStore (and related classes) in order to handle some analyzer failures involving casts and manipulation of symbolic memory. The root of the change is in StoreManager::CastRegion(). Instead of using ad hoc heuristics to decide when to layer an ElementRegion on a casted MemRegion, we now always layer an ElementRegion when the cast type is different than the original type of the region. This carries the current cast information associated with a region around without resorting to the error prone recording of "casted types" in GRState. Along with this new policy of layering ElementRegions, I added a new algorithm to strip away existing ElementRegions when they simply represented casts of a base memory object. This algorithm computes the raw "byte offset" that an ElementRegion represents from the base region, and allows the new ElementRegion to be based off that offset. The added benefit is that this naturally handles a series of casts of a MemRegion without building up a set of redundant ElementRegions (thus canonicalizing the region view). Other related changes that cascaded from this one (as tests were failing in RegionStore): - Revamped RegionStoreManager::InvalidateRegion() to completely remove all bindings and default values from a region and all subregions. Now invalidated fields are not bound directly to new symbolic values; instead the base region has a "default" symbol value from which "derived symbols" can be created. The main advantage of this approach is that it allows us to invalidate a region hierarchy and then lazily instantiate new values no matter how deep the hierarchy went (i.e., regardless of the number of field accesses, e.g. x->f->y->z->...). The previous approach did not do this. - Slightly reworked RegionStoreManager::RemoveDeadBindings() to also incorporate live symbols and live regions that do not have direct bindings but also have "default values" used for lazy instantiation. The changes to 'InvalidateRegion' revealed that these were necessary in order to achieve lazy instantiation of values in the region store with those bindings being removed too early. - The changes to InvalidateRegion() and RemoveDeadBindings() revealed a serious bug in 'getSubRegionMap()' where not all region -> subregion relationships involved in actually bindings (explicit and implicit) were being recorded. This has been fixed by using a worklist algorithm to iteratively fill in the region map. - Added special support to RegionStoreManager::Bind()/Retrieve() to handle OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the layering of ElementRegions. - Fixed a bug in SymbolReaper::isLive() where derived symbols were not being marked live if the symbol they were derived from was also live. This fix was critical for getting lazy instantiation in RegionStore to work. - Tidied up the implementation of ValueManager::getXXXSymbolVal() methods to use SymbolManager::canSymbolicate() to decide whether or not a symbol should be symbolicated. - 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been moved to 'test/Analysis/misc-ps.m'. - Tweaked some pretty-printing of MemRegions, and implemented 'ElementRegion::getRawOffset()' for use with the CastRegion changes. llvm-svn: 77782
2009-08-01 14:17:29 +08:00
#include "clang/Analysis/PathSensitive/ValueManager.h"
Remove 'SelfRegion' field from both BasicStoreManager and RegionStoreManager. SelfRegion represented the object bound to 'self' (when analyzing Objective-C methods) upon entry to a method. Having this region stored on the side ignores the current stack frame that we might be analyzing (among other things), and is a problem for interprocedural analysis. For RegionStoreManager, the value for SelfRegion is just lazily created. For BasicStoreManager, the value for SelfRegion is bound eagerly to 'self', but no explicit tracking of SelfRegion on the side is made. As part of this change, remove the restriction in BasicStoreManager that we only track ivars for 'self'. This shouldn't actually change anything in terms of precision, and simplifies the logic. llvm-svn: 79694
2009-08-22 07:25:54 +08:00
#include "clang/Analysis/PathSensitive/AnalysisContext.h"
Add iterators to BlockDataRegion that allow clients to iterate over the VarRegions for "captured" variables for a block. llvm-svn: 89927
2009-11-26 10:34:36 +08:00
#include "clang/AST/StmtVisitor.h"
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
using namespace clang;
More template-logic for MemRegion construction out of MemRegion.h and into MemRegion.cpp. llvm-svn: 90499
2009-12-04 08:05:57 +08:00
//===----------------------------------------------------------------------===//
// MemRegion Construction.
//===----------------------------------------------------------------------===//
template<typename RegionTy> struct MemRegionManagerTrait;
template <typename RegionTy, typename A1>
RegionTy* MemRegionManager::getRegion(const A1 a1) {
const typename MemRegionManagerTrait<RegionTy>::SuperRegionTy *superRegion =
MemRegionManagerTrait<RegionTy>::getSuperRegion(*this, a1);
llvm::FoldingSetNodeID ID;
RegionTy::ProfileRegion(ID, a1, superRegion);
void* InsertPos;
RegionTy* R = cast_or_null<RegionTy>(Regions.FindNodeOrInsertPos(ID,
InsertPos));
if (!R) {
R = (RegionTy*) A.Allocate<RegionTy>();
new (R) RegionTy(a1, superRegion);
Regions.InsertNode(R, InsertPos);
}
return R;
}
template <typename RegionTy, typename A1>
RegionTy* MemRegionManager::getSubRegion(const A1 a1,
const MemRegion *superRegion) {
llvm::FoldingSetNodeID ID;
RegionTy::ProfileRegion(ID, a1, superRegion);
void* InsertPos;
RegionTy* R = cast_or_null<RegionTy>(Regions.FindNodeOrInsertPos(ID,
InsertPos));
if (!R) {
R = (RegionTy*) A.Allocate<RegionTy>();
new (R) RegionTy(a1, superRegion);
Regions.InsertNode(R, InsertPos);
}
return R;
}
template <typename RegionTy, typename A1, typename A2>
RegionTy* MemRegionManager::getRegion(const A1 a1, const A2 a2) {
const typename MemRegionManagerTrait<RegionTy>::SuperRegionTy *superRegion =
MemRegionManagerTrait<RegionTy>::getSuperRegion(*this, a1, a2);
llvm::FoldingSetNodeID ID;
RegionTy::ProfileRegion(ID, a1, a2, superRegion);
void* InsertPos;
RegionTy* R = cast_or_null<RegionTy>(Regions.FindNodeOrInsertPos(ID,
InsertPos));
if (!R) {
R = (RegionTy*) A.Allocate<RegionTy>();
new (R) RegionTy(a1, a2, superRegion);
Regions.InsertNode(R, InsertPos);
}
return R;
}
template <typename RegionTy, typename A1, typename A2>
RegionTy* MemRegionManager::getSubRegion(const A1 a1, const A2 a2,
const MemRegion *superRegion) {
llvm::FoldingSetNodeID ID;
RegionTy::ProfileRegion(ID, a1, a2, superRegion);
void* InsertPos;
RegionTy* R = cast_or_null<RegionTy>(Regions.FindNodeOrInsertPos(ID,
InsertPos));
if (!R) {
R = (RegionTy*) A.Allocate<RegionTy>();
new (R) RegionTy(a1, a2, superRegion);
Regions.InsertNode(R, InsertPos);
}
return R;
}
//===----------------------------------------------------------------------===//
// Traits for constructing regions.
//===----------------------------------------------------------------------===//
template <> struct MemRegionManagerTrait<AllocaRegion> {
typedef MemRegion SuperRegionTy;
static const SuperRegionTy* getSuperRegion(MemRegionManager& MRMgr,
const Expr *, unsigned) {
return MRMgr.getStackRegion();
}
};
template <> struct MemRegionManagerTrait<CompoundLiteralRegion> {
typedef MemRegion SuperRegionTy;
static const SuperRegionTy* getSuperRegion(MemRegionManager& MRMgr,
const CompoundLiteralExpr *CL) {
return CL->isFileScope() ? MRMgr.getGlobalsRegion()
: MRMgr.getStackRegion();
}
};
template <> struct MemRegionManagerTrait<StringRegion> {
typedef MemSpaceRegion SuperRegionTy;
static const SuperRegionTy* getSuperRegion(MemRegionManager& MRMgr,
const StringLiteral*) {
return MRMgr.getGlobalsRegion();
}
};
template <> struct MemRegionManagerTrait<VarRegion> {
typedef MemRegion SuperRegionTy;
static const SuperRegionTy* getSuperRegion(MemRegionManager &MRMgr,
const VarDecl *D,
const LocationContext *LC) {
// FIXME: Make stack regions have a location context?
if (D->hasLocalStorage()) {
return isa<ParmVarDecl>(D) || isa<ImplicitParamDecl>(D)
? MRMgr.getStackArgumentsRegion() : MRMgr.getStackRegion();
}
return MRMgr.getGlobalsRegion();
}
};
template <> struct MemRegionManagerTrait<SymbolicRegion> {
typedef MemRegion SuperRegionTy;
static const SuperRegionTy* getSuperRegion(MemRegionManager& MRMgr,
SymbolRef) {
return MRMgr.getUnknownRegion();
}
};
template<> struct MemRegionManagerTrait<FunctionTextRegion> {
typedef MemSpaceRegion SuperRegionTy;
static const SuperRegionTy* getSuperRegion(MemRegionManager& MRMgr,
const FunctionDecl*) {
return MRMgr.getCodeRegion();
}
};
template<> struct MemRegionManagerTrait<BlockTextRegion> {
typedef MemSpaceRegion SuperRegionTy;
static const SuperRegionTy* getSuperRegion(MemRegionManager& MRMgr,
const BlockDecl*, CanQualType) {
return MRMgr.getCodeRegion();
}
};
Refactor some of the logic in MemRegionManager for constructing regions using member template functions and traits. The idea is to allow MemRegionManager to construct subclasses of MemRegion that aren't declared in MemRegion.h (e.g., checker-specific regions). llvm-svn: 73917
2009-06-23 07:13:13 +08:00
//===----------------------------------------------------------------------===//
Add iterators to BlockDataRegion that allow clients to iterate over the VarRegions for "captured" variables for a block. llvm-svn: 89927
2009-11-26 10:34:36 +08:00
// Object destruction.
Refactor some of the logic in MemRegionManager for constructing regions using member template functions and traits. The idea is to allow MemRegionManager to construct subclasses of MemRegion that aren't declared in MemRegion.h (e.g., checker-specific regions). llvm-svn: 73917
2009-06-23 07:13:13 +08:00
//===----------------------------------------------------------------------===//
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
MemRegion::~MemRegion() {}
Add iterators to BlockDataRegion that allow clients to iterate over the VarRegions for "captured" variables for a block. llvm-svn: 89927
2009-11-26 10:34:36 +08:00
MemRegionManager::~MemRegionManager() {
// All regions and their data are BumpPtrAllocated. No need to call
// their destructors.
}
//===----------------------------------------------------------------------===//
// Basic methods.
//===----------------------------------------------------------------------===//
Add isSubRegionOf() method to SubRegion. llvm-svn: 61924
2009-01-08 21:17:14 +08:00
bool SubRegion::isSubRegionOf(const MemRegion* R) const {
const MemRegion* r = getSuperRegion();
while (r != 0) {
if (r == R)
return true;
if (const SubRegion* sr = dyn_cast<SubRegion>(r))
r = sr->getSuperRegion();
else
break;
}
return false;
}
MemRegions: - Embed a reference to MemRegionManager objects in MemSpaceRegion objects - Use this embedded reference for MemRegion objects to access ASTContext objects without external help - Use this access to ASTContext to simplify 'isBoundable' (no ASTContext& argument required) llvm-svn: 73935
2009-06-23 08:46:41 +08:00
MemRegionManager* SubRegion::getMemRegionManager() const {
const SubRegion* r = this;
do {
const MemRegion *superRegion = r->getSuperRegion();
if (const SubRegion *sr = dyn_cast<SubRegion>(superRegion)) {
r = sr;
continue;
}
return superRegion->getMemRegionManager();
} while (1);
}
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
void MemSpaceRegion::Profile(llvm::FoldingSetNodeID& ID) const {
ID.AddInteger((unsigned)getKind());
}
Remove tabs, and whitespace cleanups. llvm-svn: 81346
2009-09-09 23:08:12 +08:00
void StringRegion::ProfileRegion(llvm::FoldingSetNodeID& ID,
const StringLiteral* Str,
Add StringRegion to MemRegions. llvm-svn: 58137
2008-10-25 22:13:41 +08:00
const MemRegion* superRegion) {
ID.AddInteger((unsigned) StringRegionKind);
ID.AddPointer(Str);
ID.AddPointer(superRegion);
}
Added AllocaRegion, which represents regions created by calls to alloca(). llvm-svn: 58551
2008-11-02 08:34:33 +08:00
void AllocaRegion::ProfileRegion(llvm::FoldingSetNodeID& ID,
MemRegionManager: Migrate logic for getAllocaRegion() over to using trait-based MemRegion creation. llvm-svn: 73927
2009-06-23 08:15:41 +08:00
const Expr* Ex, unsigned cnt,
const MemRegion *) {
Added AllocaRegion, which represents regions created by calls to alloca(). llvm-svn: 58551
2008-11-02 08:34:33 +08:00
ID.AddInteger((unsigned) AllocaRegionKind);
ID.AddPointer(Ex);
ID.AddInteger(cnt);
}
void AllocaRegion::Profile(llvm::FoldingSetNodeID& ID) const {
MemRegionManager: Migrate logic for getAllocaRegion() over to using trait-based MemRegion creation. llvm-svn: 73927
2009-06-23 08:15:41 +08:00
ProfileRegion(ID, Ex, Cnt, superRegion);
Added AllocaRegion, which represents regions created by calls to alloca(). llvm-svn: 58551
2008-11-02 08:34:33 +08:00
}
Added CompoundLiteralRegion to represent the (temporary) memory allocated for a compound literal. llvm-svn: 58270
2008-10-28 04:57:58 +08:00
void CompoundLiteralRegion::Profile(llvm::FoldingSetNodeID& ID) const {
CompoundLiteralRegion::ProfileRegion(ID, CL, superRegion);
}
void CompoundLiteralRegion::ProfileRegion(llvm::FoldingSetNodeID& ID,
const CompoundLiteralExpr* CL,
const MemRegion* superRegion) {
ID.AddInteger((unsigned) CompoundLiteralRegionKind);
ID.AddPointer(CL);
ID.AddPointer(superRegion);
}
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
void DeclRegion::ProfileRegion(llvm::FoldingSetNodeID& ID, const Decl* D,
const MemRegion* superRegion, Kind k) {
ID.AddInteger((unsigned) k);
ID.AddPointer(D);
ID.AddPointer(superRegion);
}
void DeclRegion::Profile(llvm::FoldingSetNodeID& ID) const {
DeclRegion::ProfileRegion(ID, D, superRegion, getKind());
}
Add LocationContext* field to VarRegion. This is needed for interprocedural analysis. llvm-svn: 79680
2009-08-22 06:28:32 +08:00
void VarRegion::Profile(llvm::FoldingSetNodeID &ID) const {
VarRegion::ProfileRegion(ID, getDecl(), LC, superRegion);
}
Refactor some of the logic in MemRegionManager for constructing regions using member template functions and traits. The idea is to allow MemRegionManager to construct subclasses of MemRegion that aren't declared in MemRegion.h (e.g., checker-specific regions). llvm-svn: 73917
2009-06-23 07:13:13 +08:00
void SymbolicRegion::ProfileRegion(llvm::FoldingSetNodeID& ID, SymbolRef sym,
const MemRegion *sreg) {
- constify some uses of MemRegion* (MemRegion should be immutable). - Added new region "SymbolicRegion", which maps symbol values to the region domain. - Enhanced BasicStore::getFieldLValue() to return a FieldRegion (using SymbolicRegion) - Added some utility methods to GRState for fetch svals from the store. - Fixed regression in CheckNSError (we weren't getting the value bound to the parameter) llvm-svn: 57717
2008-10-18 04:28:54 +08:00
ID.AddInteger((unsigned) MemRegion::SymbolicRegionKind);
Use trait-based profiling of SymbolRefs, avoiding calling getNumber() (which will soon be removed). llvm-svn: 60577
2008-12-05 10:39:38 +08:00
ID.Add(sym);
Refactor some of the logic in MemRegionManager for constructing regions using member template functions and traits. The idea is to allow MemRegionManager to construct subclasses of MemRegion that aren't declared in MemRegion.h (e.g., checker-specific regions). llvm-svn: 73917
2009-06-23 07:13:13 +08:00
ID.AddPointer(sreg);
- constify some uses of MemRegion* (MemRegion should be immutable). - Added new region "SymbolicRegion", which maps symbol values to the region domain. - Enhanced BasicStore::getFieldLValue() to return a FieldRegion (using SymbolicRegion) - Added some utility methods to GRState for fetch svals from the store. - Fixed regression in CheckNSError (we weren't getting the value bound to the parameter) llvm-svn: 57717
2008-10-18 04:28:54 +08:00
}
void SymbolicRegion::Profile(llvm::FoldingSetNodeID& ID) const {
Refactor some of the logic in MemRegionManager for constructing regions using member template functions and traits. The idea is to allow MemRegionManager to construct subclasses of MemRegion that aren't declared in MemRegion.h (e.g., checker-specific regions). llvm-svn: 73917
2009-06-23 07:13:13 +08:00
SymbolicRegion::ProfileRegion(ID, sym, getSuperRegion());
- constify some uses of MemRegion* (MemRegion should be immutable). - Added new region "SymbolicRegion", which maps symbol values to the region domain. - Enhanced BasicStore::getFieldLValue() to return a FieldRegion (using SymbolicRegion) - Added some utility methods to GRState for fetch svals from the store. - Fixed regression in CheckNSError (we weren't getting the value bound to the parameter) llvm-svn: 57717
2008-10-18 04:28:54 +08:00
}
Per conversations with Zhongxing, add an 'element type' to ElementRegion. I also removed 'ElementRegion::getArrayRegion', although we may need to add this back. This breaks a few test cases with RegionStore: - 'array-struct.c' triggers an infinite recursion in RegionStoreManager. Need to investigate. - misc-ps.m triggers a failure with RegionStoreManager as we now get the diagnostic: 'Line 159: Uninitialized or undefined return value returned to caller.' There were a bunch of places that needed to be edit RegionStoreManager, and we may not be passing all the correct 'element types' down from GRExprEngine. Zhongxing: When you get a chance, could you review this? I could have easily screwed up something basic in RegionStoreManager. llvm-svn: 70830
2009-05-04 14:18:28 +08:00
void ElementRegion::ProfileRegion(llvm::FoldingSetNodeID& ID,
Remove tabs, and whitespace cleanups. llvm-svn: 81346
2009-09-09 23:08:12 +08:00
QualType ElementType, SVal Idx,
Add ElementRegion to represent memory chunks for array elements. llvm-svn: 57891
2008-10-21 13:27:10 +08:00
const MemRegion* superRegion) {
ID.AddInteger(MemRegion::ElementRegionKind);
Per conversations with Zhongxing, add an 'element type' to ElementRegion. I also removed 'ElementRegion::getArrayRegion', although we may need to add this back. This breaks a few test cases with RegionStore: - 'array-struct.c' triggers an infinite recursion in RegionStoreManager. Need to investigate. - misc-ps.m triggers a failure with RegionStoreManager as we now get the diagnostic: 'Line 159: Uninitialized or undefined return value returned to caller.' There were a bunch of places that needed to be edit RegionStoreManager, and we may not be passing all the correct 'element types' down from GRExprEngine. Zhongxing: When you get a chance, could you review this? I could have easily screwed up something basic in RegionStoreManager. llvm-svn: 70830
2009-05-04 14:18:28 +08:00
ID.Add(ElementType);
Add ElementRegion to represent memory chunks for array elements. llvm-svn: 57891
2008-10-21 13:27:10 +08:00
ID.AddPointer(superRegion);
Idx.Profile(ID);
}
void ElementRegion::Profile(llvm::FoldingSetNodeID& ID) const {
Per conversations with Zhongxing, add an 'element type' to ElementRegion. I also removed 'ElementRegion::getArrayRegion', although we may need to add this back. This breaks a few test cases with RegionStore: - 'array-struct.c' triggers an infinite recursion in RegionStoreManager. Need to investigate. - misc-ps.m triggers a failure with RegionStoreManager as we now get the diagnostic: 'Line 159: Uninitialized or undefined return value returned to caller.' There were a bunch of places that needed to be edit RegionStoreManager, and we may not be passing all the correct 'element types' down from GRExprEngine. Zhongxing: When you get a chance, could you review this? I could have easily screwed up something basic in RegionStoreManager. llvm-svn: 70830
2009-05-04 14:18:28 +08:00
ElementRegion::ProfileRegion(ID, ElementType, Index, superRegion);
Add ElementRegion to represent memory chunks for array elements. llvm-svn: 57891
2008-10-21 13:27:10 +08:00
}
An ElementRegion is really a typed region. Its super region's type has to be ArrayType. llvm-svn: 58245
2008-10-27 21:17:02 +08:00
Split CodeTextRegion into FunctionTextRegion and BlockTextRegion. This a precursor to having basic static analysis support for blocks. llvm-svn: 89828
2009-11-25 09:32:22 +08:00
void FunctionTextRegion::ProfileRegion(llvm::FoldingSetNodeID& ID,
const FunctionDecl *FD,
const MemRegion*) {
ID.AddInteger(MemRegion::FunctionTextRegionKind);
Use SymbolicRegion instead of CodeTextRegion for symbolic function pointers. Most logic cares first about whether or not a region is symbolic, and second if represents code. This should fix a series of silent corner case bugs (as well as simplify a bunch of code). llvm-svn: 80335
2009-08-28 12:49:15 +08:00
ID.AddPointer(FD);
Add prototype for CodeTextRegion. A CodeTextRegion wraps two kinds of data: FunctionDecl* or SymbolRef. The latter comes from the symbolic function pointer that are generated from function calls or input data. llvm-svn: 68777
2009-04-10 16:45:10 +08:00
}
Split CodeTextRegion into FunctionTextRegion and BlockTextRegion. This a precursor to having basic static analysis support for blocks. llvm-svn: 89828
2009-11-25 09:32:22 +08:00
void FunctionTextRegion::Profile(llvm::FoldingSetNodeID& ID) const {
FunctionTextRegion::ProfileRegion(ID, FD, superRegion);
}
void BlockTextRegion::ProfileRegion(llvm::FoldingSetNodeID& ID,
const BlockDecl *BD, CanQualType,
const MemRegion*) {
ID.AddInteger(MemRegion::BlockTextRegionKind);
ID.AddPointer(BD);
}
void BlockTextRegion::Profile(llvm::FoldingSetNodeID& ID) const {
BlockTextRegion::ProfileRegion(ID, BD, locTy, superRegion);
Add prototype for CodeTextRegion. A CodeTextRegion wraps two kinds of data: FunctionDecl* or SymbolRef. The latter comes from the symbolic function pointer that are generated from function calls or input data. llvm-svn: 68777
2009-04-10 16:45:10 +08:00
}
Refine MemRegions for blocks. Add a new region called 'BlockDataRegion' to distinguish between the code associated with a block (which is represented by 'BlockTextRegion') and an instance of a block, which includes both code and data. 'BlockDataRegion' has an associated LocationContext, which can be used to eventually model the lifetime of a block object once LocationContexts can represent scopes (and iterations around a loop, etc.). llvm-svn: 89900
2009-11-26 07:53:07 +08:00
void BlockDataRegion::ProfileRegion(llvm::FoldingSetNodeID& ID,
const BlockTextRegion *BC,
const LocationContext *LC,
const MemRegion *) {
ID.AddInteger(MemRegion::BlockDataRegionKind);
ID.AddPointer(BC);
ID.AddPointer(LC);
}
void BlockDataRegion::Profile(llvm::FoldingSetNodeID& ID) const {
BlockDataRegion::ProfileRegion(ID, BC, LC, NULL);
}
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
//===----------------------------------------------------------------------===//
// Region pretty-printing.
//===----------------------------------------------------------------------===//
Change pretty-printing API for SymExprs and MemRegions to use a naming convention and style similar to other elements in Clang. llvm-svn: 75548
2009-07-14 07:31:04 +08:00
void MemRegion::dump() const {
dumpToStream(llvm::errs());
Remove commented methods. Add MemRegion::printStdErr(). llvm-svn: 74709
2009-07-03 01:24:10 +08:00
}
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
std::string MemRegion::getString() const {
std::string s;
llvm::raw_string_ostream os(s);
Change pretty-printing API for SymExprs and MemRegions to use a naming convention and style similar to other elements in Clang. llvm-svn: 75548
2009-07-14 07:31:04 +08:00
dumpToStream(os);
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
return os.str();
}
Change pretty-printing API for SymExprs and MemRegions to use a naming convention and style similar to other elements in Clang. llvm-svn: 75548
2009-07-14 07:31:04 +08:00
void MemRegion::dumpToStream(llvm::raw_ostream& os) const {
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
os << "<Unknown Region>";
}
Change pretty-printing API for SymExprs and MemRegions to use a naming convention and style similar to other elements in Clang. llvm-svn: 75548
2009-07-14 07:31:04 +08:00
void AllocaRegion::dumpToStream(llvm::raw_ostream& os) const {
Added AllocaRegion, which represents regions created by calls to alloca(). llvm-svn: 58551
2008-11-02 08:34:33 +08:00
os << "alloca{" << (void*) Ex << ',' << Cnt << '}';
}
Split CodeTextRegion into FunctionTextRegion and BlockTextRegion. This a precursor to having basic static analysis support for blocks. llvm-svn: 89828
2009-11-25 09:32:22 +08:00
void FunctionTextRegion::dumpToStream(llvm::raw_ostream& os) const {
Use SymbolicRegion instead of CodeTextRegion for symbolic function pointers. Most logic cares first about whether or not a region is symbolic, and second if represents code. This should fix a series of silent corner case bugs (as well as simplify a bunch of code). llvm-svn: 80335
2009-08-28 12:49:15 +08:00
os << "code{" << getDecl()->getDeclName().getAsString() << '}';
Recommit 69694 but this time also include the header changes (sorry for breaking the build). llvm-svn: 69702
2009-04-22 03:56:58 +08:00
}
Split CodeTextRegion into FunctionTextRegion and BlockTextRegion. This a precursor to having basic static analysis support for blocks. llvm-svn: 89828
2009-11-25 09:32:22 +08:00
void BlockTextRegion::dumpToStream(llvm::raw_ostream& os) const {
Refine MemRegions for blocks. Add a new region called 'BlockDataRegion' to distinguish between the code associated with a block (which is represented by 'BlockTextRegion') and an instance of a block, which includes both code and data. 'BlockDataRegion' has an associated LocationContext, which can be used to eventually model the lifetime of a block object once LocationContexts can represent scopes (and iterations around a loop, etc.). llvm-svn: 89900
2009-11-26 07:53:07 +08:00
os << "block_code{" << (void*) this << '}';
Split CodeTextRegion into FunctionTextRegion and BlockTextRegion. This a precursor to having basic static analysis support for blocks. llvm-svn: 89828
2009-11-25 09:32:22 +08:00
}
Refine MemRegions for blocks. Add a new region called 'BlockDataRegion' to distinguish between the code associated with a block (which is represented by 'BlockTextRegion') and an instance of a block, which includes both code and data. 'BlockDataRegion' has an associated LocationContext, which can be used to eventually model the lifetime of a block object once LocationContexts can represent scopes (and iterations around a loop, etc.). llvm-svn: 89900
2009-11-26 07:53:07 +08:00
void BlockDataRegion::dumpToStream(llvm::raw_ostream& os) const {
os << "block_data{" << BC << '}';
}
Change pretty-printing API for SymExprs and MemRegions to use a naming convention and style similar to other elements in Clang. llvm-svn: 75548
2009-07-14 07:31:04 +08:00
void CompoundLiteralRegion::dumpToStream(llvm::raw_ostream& os) const {
Lexically order the implementation of MemRegion 'print' methods. No functionality change. llvm-svn: 69688
2009-04-22 02:09:22 +08:00
// FIXME: More elaborate pretty-printing.
os << "{ " << (void*) CL << " }";
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
}
Change pretty-printing API for SymExprs and MemRegions to use a naming convention and style similar to other elements in Clang. llvm-svn: 75548
2009-07-14 07:31:04 +08:00
void ElementRegion::dumpToStream(llvm::raw_ostream& os) const {
This is a fairly large patch, which resulted from a cascade of changes made to RegionStore (and related classes) in order to handle some analyzer failures involving casts and manipulation of symbolic memory. The root of the change is in StoreManager::CastRegion(). Instead of using ad hoc heuristics to decide when to layer an ElementRegion on a casted MemRegion, we now always layer an ElementRegion when the cast type is different than the original type of the region. This carries the current cast information associated with a region around without resorting to the error prone recording of "casted types" in GRState. Along with this new policy of layering ElementRegions, I added a new algorithm to strip away existing ElementRegions when they simply represented casts of a base memory object. This algorithm computes the raw "byte offset" that an ElementRegion represents from the base region, and allows the new ElementRegion to be based off that offset. The added benefit is that this naturally handles a series of casts of a MemRegion without building up a set of redundant ElementRegions (thus canonicalizing the region view). Other related changes that cascaded from this one (as tests were failing in RegionStore): - Revamped RegionStoreManager::InvalidateRegion() to completely remove all bindings and default values from a region and all subregions. Now invalidated fields are not bound directly to new symbolic values; instead the base region has a "default" symbol value from which "derived symbols" can be created. The main advantage of this approach is that it allows us to invalidate a region hierarchy and then lazily instantiate new values no matter how deep the hierarchy went (i.e., regardless of the number of field accesses, e.g. x->f->y->z->...). The previous approach did not do this. - Slightly reworked RegionStoreManager::RemoveDeadBindings() to also incorporate live symbols and live regions that do not have direct bindings but also have "default values" used for lazy instantiation. The changes to 'InvalidateRegion' revealed that these were necessary in order to achieve lazy instantiation of values in the region store with those bindings being removed too early. - The changes to InvalidateRegion() and RemoveDeadBindings() revealed a serious bug in 'getSubRegionMap()' where not all region -> subregion relationships involved in actually bindings (explicit and implicit) were being recorded. This has been fixed by using a worklist algorithm to iteratively fill in the region map. - Added special support to RegionStoreManager::Bind()/Retrieve() to handle OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the layering of ElementRegions. - Fixed a bug in SymbolReaper::isLive() where derived symbols were not being marked live if the symbol they were derived from was also live. This fix was critical for getting lazy instantiation in RegionStore to work. - Tidied up the implementation of ValueManager::getXXXSymbolVal() methods to use SymbolManager::canSymbolicate() to decide whether or not a symbol should be symbolicated. - 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been moved to 'test/Analysis/misc-ps.m'. - Tweaked some pretty-printing of MemRegions, and implemented 'ElementRegion::getRawOffset()' for use with the CastRegion changes. llvm-svn: 77782
2009-08-01 14:17:29 +08:00
os << "element{" << superRegion << ','
<< Index << ',' << getElementType().getAsString() << '}';
- constify some uses of MemRegion* (MemRegion should be immutable). - Added new region "SymbolicRegion", which maps symbol values to the region domain. - Enhanced BasicStore::getFieldLValue() to return a FieldRegion (using SymbolicRegion) - Added some utility methods to GRState for fetch svals from the store. - Fixed regression in CheckNSError (we weren't getting the value bound to the parameter) llvm-svn: 57717
2008-10-18 04:28:54 +08:00
}
Change pretty-printing API for SymExprs and MemRegions to use a naming convention and style similar to other elements in Clang. llvm-svn: 75548
2009-07-14 07:31:04 +08:00
void FieldRegion::dumpToStream(llvm::raw_ostream& os) const {
os << superRegion << "->" << getDecl()->getNameAsString();
Add pretty-printing support for FieldRegions. llvm-svn: 57724
2008-10-18 05:05:44 +08:00
}
Improve debug pretty-printing for ObjCIVarRegions. llvm-svn: 76380
2009-07-20 04:36:24 +08:00
void ObjCIvarRegion::dumpToStream(llvm::raw_ostream& os) const {
os << "ivar{" << superRegion << ',' << getDecl()->getNameAsString() << '}';
}
Remove tabs, and whitespace cleanups. llvm-svn: 81346
2009-09-09 23:08:12 +08:00
void StringRegion::dumpToStream(llvm::raw_ostream& os) const {
Implement FIXME in pretty-printing for StringRegions. llvm-svn: 76381
2009-07-20 04:38:24 +08:00
Str->printPretty(os, 0, PrintingPolicy(getContext().getLangOptions()));
Add printing method to ElementRegion. llvm-svn: 58077
2008-10-24 14:30:07 +08:00
}
Change pretty-printing API for SymExprs and MemRegions to use a naming convention and style similar to other elements in Clang. llvm-svn: 75548
2009-07-14 07:31:04 +08:00
void SymbolicRegion::dumpToStream(llvm::raw_ostream& os) const {
When pretty-printing symbolic regions, use '{' ... '}' to indicate the symbol used for the region (makes it easier to read for nested regions). llvm-svn: 75550
2009-07-14 07:38:57 +08:00
os << "SymRegion{" << sym << '}';
Added CompoundLiteralRegion to represent the (temporary) memory allocated for a compound literal. llvm-svn: 58270
2008-10-28 04:57:58 +08:00
}
Change pretty-printing API for SymExprs and MemRegions to use a naming convention and style similar to other elements in Clang. llvm-svn: 75548
2009-07-14 07:31:04 +08:00
void VarRegion::dumpToStream(llvm::raw_ostream& os) const {
Lexically order the implementation of MemRegion 'print' methods. No functionality change. llvm-svn: 69688
2009-04-22 02:09:22 +08:00
os << cast<VarDecl>(D)->getNameAsString();
Add pretty printing to StringRegion. llvm-svn: 58985
2008-11-10 21:05:26 +08:00
}
This is a fairly large patch, which resulted from a cascade of changes made to RegionStore (and related classes) in order to handle some analyzer failures involving casts and manipulation of symbolic memory. The root of the change is in StoreManager::CastRegion(). Instead of using ad hoc heuristics to decide when to layer an ElementRegion on a casted MemRegion, we now always layer an ElementRegion when the cast type is different than the original type of the region. This carries the current cast information associated with a region around without resorting to the error prone recording of "casted types" in GRState. Along with this new policy of layering ElementRegions, I added a new algorithm to strip away existing ElementRegions when they simply represented casts of a base memory object. This algorithm computes the raw "byte offset" that an ElementRegion represents from the base region, and allows the new ElementRegion to be based off that offset. The added benefit is that this naturally handles a series of casts of a MemRegion without building up a set of redundant ElementRegions (thus canonicalizing the region view). Other related changes that cascaded from this one (as tests were failing in RegionStore): - Revamped RegionStoreManager::InvalidateRegion() to completely remove all bindings and default values from a region and all subregions. Now invalidated fields are not bound directly to new symbolic values; instead the base region has a "default" symbol value from which "derived symbols" can be created. The main advantage of this approach is that it allows us to invalidate a region hierarchy and then lazily instantiate new values no matter how deep the hierarchy went (i.e., regardless of the number of field accesses, e.g. x->f->y->z->...). The previous approach did not do this. - Slightly reworked RegionStoreManager::RemoveDeadBindings() to also incorporate live symbols and live regions that do not have direct bindings but also have "default values" used for lazy instantiation. The changes to 'InvalidateRegion' revealed that these were necessary in order to achieve lazy instantiation of values in the region store with those bindings being removed too early. - The changes to InvalidateRegion() and RemoveDeadBindings() revealed a serious bug in 'getSubRegionMap()' where not all region -> subregion relationships involved in actually bindings (explicit and implicit) were being recorded. This has been fixed by using a worklist algorithm to iteratively fill in the region map. - Added special support to RegionStoreManager::Bind()/Retrieve() to handle OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the layering of ElementRegions. - Fixed a bug in SymbolReaper::isLive() where derived symbols were not being marked live if the symbol they were derived from was also live. This fix was critical for getting lazy instantiation in RegionStore to work. - Tidied up the implementation of ValueManager::getXXXSymbolVal() methods to use SymbolManager::canSymbolicate() to decide whether or not a symbol should be symbolicated. - 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been moved to 'test/Analysis/misc-ps.m'. - Tweaked some pretty-printing of MemRegions, and implemented 'ElementRegion::getRawOffset()' for use with the CastRegion changes. llvm-svn: 77782
2009-08-01 14:17:29 +08:00
void RegionRawOffset::dump() const {
dumpToStream(llvm::errs());
}
void RegionRawOffset::dumpToStream(llvm::raw_ostream& os) const {
os << "raw_offset{" << getRegion() << ',' << getByteOffset() << '}';
}
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
//===----------------------------------------------------------------------===//
// MemRegionManager methods.
//===----------------------------------------------------------------------===//
This is a fairly large patch, which resulted from a cascade of changes made to RegionStore (and related classes) in order to handle some analyzer failures involving casts and manipulation of symbolic memory. The root of the change is in StoreManager::CastRegion(). Instead of using ad hoc heuristics to decide when to layer an ElementRegion on a casted MemRegion, we now always layer an ElementRegion when the cast type is different than the original type of the region. This carries the current cast information associated with a region around without resorting to the error prone recording of "casted types" in GRState. Along with this new policy of layering ElementRegions, I added a new algorithm to strip away existing ElementRegions when they simply represented casts of a base memory object. This algorithm computes the raw "byte offset" that an ElementRegion represents from the base region, and allows the new ElementRegion to be based off that offset. The added benefit is that this naturally handles a series of casts of a MemRegion without building up a set of redundant ElementRegions (thus canonicalizing the region view). Other related changes that cascaded from this one (as tests were failing in RegionStore): - Revamped RegionStoreManager::InvalidateRegion() to completely remove all bindings and default values from a region and all subregions. Now invalidated fields are not bound directly to new symbolic values; instead the base region has a "default" symbol value from which "derived symbols" can be created. The main advantage of this approach is that it allows us to invalidate a region hierarchy and then lazily instantiate new values no matter how deep the hierarchy went (i.e., regardless of the number of field accesses, e.g. x->f->y->z->...). The previous approach did not do this. - Slightly reworked RegionStoreManager::RemoveDeadBindings() to also incorporate live symbols and live regions that do not have direct bindings but also have "default values" used for lazy instantiation. The changes to 'InvalidateRegion' revealed that these were necessary in order to achieve lazy instantiation of values in the region store with those bindings being removed too early. - The changes to InvalidateRegion() and RemoveDeadBindings() revealed a serious bug in 'getSubRegionMap()' where not all region -> subregion relationships involved in actually bindings (explicit and implicit) were being recorded. This has been fixed by using a worklist algorithm to iteratively fill in the region map. - Added special support to RegionStoreManager::Bind()/Retrieve() to handle OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the layering of ElementRegions. - Fixed a bug in SymbolReaper::isLive() where derived symbols were not being marked live if the symbol they were derived from was also live. This fix was critical for getting lazy instantiation in RegionStore to work. - Tidied up the implementation of ValueManager::getXXXSymbolVal() methods to use SymbolManager::canSymbolicate() to decide whether or not a symbol should be symbolicated. - 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been moved to 'test/Analysis/misc-ps.m'. - Tweaked some pretty-printing of MemRegions, and implemented 'ElementRegion::getRawOffset()' for use with the CastRegion changes. llvm-svn: 77782
2009-08-01 14:17:29 +08:00
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const MemSpaceRegion *MemRegionManager::LazyAllocate(MemSpaceRegion*& region) {
Remove tabs, and whitespace cleanups. llvm-svn: 81346
2009-09-09 23:08:12 +08:00
if (!region) {
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
region = (MemSpaceRegion*) A.Allocate<MemSpaceRegion>();
MemRegions: - Embed a reference to MemRegionManager objects in MemSpaceRegion objects - Use this embedded reference for MemRegion objects to access ASTContext objects without external help - Use this access to ASTContext to simplify 'isBoundable' (no ASTContext& argument required) llvm-svn: 73935
2009-06-23 08:46:41 +08:00
new (region) MemSpaceRegion(this);
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
}
MemRegions: - Embed a reference to MemRegionManager objects in MemSpaceRegion objects - Use this embedded reference for MemRegion objects to access ASTContext objects without external help - Use this access to ASTContext to simplify 'isBoundable' (no ASTContext& argument required) llvm-svn: 73935
2009-06-23 08:46:41 +08:00
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
return region;
}
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const MemSpaceRegion *MemRegionManager::getStackRegion() {
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
return LazyAllocate(stack);
}
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const MemSpaceRegion *MemRegionManager::getStackArgumentsRegion() {
Add a separate MemSpaceRegion for function/method arguments passed on the stack. This will simplify the logic of StoreManagers that want to specially reason about the values of parameters. llvm-svn: 74715
2009-07-03 02:14:59 +08:00
return LazyAllocate(stackArguments);
}
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const MemSpaceRegion *MemRegionManager::getGlobalsRegion() {
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
return LazyAllocate(globals);
}
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const MemSpaceRegion *MemRegionManager::getHeapRegion() {
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
return LazyAllocate(heap);
}
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const MemSpaceRegion *MemRegionManager::getUnknownRegion() {
This is the first step to implement a field-sensitive store model. Other things are simplified: no heap shape assumption, no parameter alias assumption, etc. llvm-svn: 57285
2008-10-08 10:50:44 +08:00
return LazyAllocate(unknown);
}
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const MemSpaceRegion *MemRegionManager::getCodeRegion() {
Add prototype for CodeTextRegion. A CodeTextRegion wraps two kinds of data: FunctionDecl* or SymbolRef. The latter comes from the symbolic function pointer that are generated from function calls or input data. llvm-svn: 68777
2009-04-10 16:45:10 +08:00
return LazyAllocate(code);
}
Refactor some of the logic in MemRegionManager for constructing regions using member template functions and traits. The idea is to allow MemRegionManager to construct subclasses of MemRegion that aren't declared in MemRegion.h (e.g., checker-specific regions). llvm-svn: 73917
2009-06-23 07:13:13 +08:00
//===----------------------------------------------------------------------===//
// Constructing regions.
//===----------------------------------------------------------------------===//
Add StringRegion to MemRegions. llvm-svn: 58137
2008-10-25 22:13:41 +08:00
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const StringRegion* MemRegionManager::getStringRegion(const StringLiteral* Str) {
Refactor some of the logic in MemRegionManager for constructing regions using member template functions and traits. The idea is to allow MemRegionManager to construct subclasses of MemRegion that aren't declared in MemRegion.h (e.g., checker-specific regions). llvm-svn: 73917
2009-06-23 07:13:13 +08:00
return getRegion<StringRegion>(Str);
Add StringRegion to MemRegions. llvm-svn: 58137
2008-10-25 22:13:41 +08:00
}
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const VarRegion* MemRegionManager::getVarRegion(const VarDecl *D,
const LocationContext *LC) {
Remove tabs, and whitespace cleanups. llvm-svn: 81346
2009-09-09 23:08:12 +08:00
Remove 'SelfRegion' field from both BasicStoreManager and RegionStoreManager. SelfRegion represented the object bound to 'self' (when analyzing Objective-C methods) upon entry to a method. Having this region stored on the side ignores the current stack frame that we might be analyzing (among other things), and is a problem for interprocedural analysis. For RegionStoreManager, the value for SelfRegion is just lazily created. For BasicStoreManager, the value for SelfRegion is bound eagerly to 'self', but no explicit tracking of SelfRegion on the side is made. As part of this change, remove the restriction in BasicStoreManager that we only track ivars for 'self'. This shouldn't actually change anything in terms of precision, and simplifies the logic. llvm-svn: 79694
2009-08-22 07:25:54 +08:00
// FIXME: Once we implement scope handling, we will need to properly lookup
// 'D' to the proper LocationContext. For now, just strip down to the
// StackFrame.
while (!isa<StackFrameContext>(LC))
LC = LC->getParent();
Remove tabs, and whitespace cleanups. llvm-svn: 81346
2009-09-09 23:08:12 +08:00
Add LocationContext* field to VarRegion. This is needed for interprocedural analysis. llvm-svn: 79680
2009-08-22 06:28:32 +08:00
return getRegion<VarRegion>(D, LC);
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
}
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const BlockDataRegion *
MemRegionManager::getBlockDataRegion(const BlockTextRegion *BC,
const LocationContext *LC) {
Refine MemRegions for blocks. Add a new region called 'BlockDataRegion' to distinguish between the code associated with a block (which is represented by 'BlockTextRegion') and an instance of a block, which includes both code and data. 'BlockDataRegion' has an associated LocationContext, which can be used to eventually model the lifetime of a block object once LocationContexts can represent scopes (and iterations around a loop, etc.). llvm-svn: 89900
2009-11-26 07:53:07 +08:00
// FIXME: Once we implement scope handling, we will need to properly lookup
// 'D' to the proper LocationContext. For now, just strip down to the
// StackFrame.
while (!isa<StackFrameContext>(LC))
LC = LC->getParent();
return getSubRegion<BlockDataRegion>(BC, LC, getStackRegion());
}
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const CompoundLiteralRegion*
Added CompoundLiteralRegion to represent the (temporary) memory allocated for a compound literal. llvm-svn: 58270
2008-10-28 04:57:58 +08:00
MemRegionManager::getCompoundLiteralRegion(const CompoundLiteralExpr* CL) {
Refactor some of the logic in MemRegionManager for constructing regions using member template functions and traits. The idea is to allow MemRegionManager to construct subclasses of MemRegion that aren't declared in MemRegion.h (e.g., checker-specific regions). llvm-svn: 73917
2009-06-23 07:13:13 +08:00
return getRegion<CompoundLiteralRegion>(CL);
Added CompoundLiteralRegion to represent the (temporary) memory allocated for a compound literal. llvm-svn: 58270
2008-10-28 04:57:58 +08:00
}
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const ElementRegion*
Per conversations with Zhongxing, add an 'element type' to ElementRegion. I also removed 'ElementRegion::getArrayRegion', although we may need to add this back. This breaks a few test cases with RegionStore: - 'array-struct.c' triggers an infinite recursion in RegionStoreManager. Need to investigate. - misc-ps.m triggers a failure with RegionStoreManager as we now get the diagnostic: 'Line 159: Uninitialized or undefined return value returned to caller.' There were a bunch of places that needed to be edit RegionStoreManager, and we may not be passing all the correct 'element types' down from GRExprEngine. Zhongxing: When you get a chance, could you review this? I could have easily screwed up something basic in RegionStoreManager. llvm-svn: 70830
2009-05-04 14:18:28 +08:00
MemRegionManager::getElementRegion(QualType elementType, SVal Idx,
Move RegionStoreManager over to using new ValueManager::makeArrayIndex()/convertArrayIndex() methods. This handles yet another crash case when reasoning about array indices of different bitwidth and signedness. llvm-svn: 75884
2009-07-16 09:33:37 +08:00
const MemRegion* superRegion,
ASTContext& Ctx){
Use canonical type for building ElementRegion. Otherwise ElementRegions cannot be unique. llvm-svn: 73482
2009-06-16 17:55:50 +08:00
QualType T = Ctx.getCanonicalType(elementType);
A series of cleanups/fixes motivated by <rdar://problem/6442306>: GRExprEngine (VisitCast): - When using StoreManager::CastRegion, always use the state and value it returns to generate the next node. Failure to do so means that region values returned that don't require the state to be modified will get ignored. MemRegion: - Tighten the interface for ElementRegion. Now ElementRegion can only be created with a super region that is a 'TypedRegion' instead of any MemRegion. Code in BasicStoreManager/RegionStoreManager already assumed this, but it would result in a dynamic assertion check (and crash) rather than just having the compiler forbid the construction of such regions. - Added ElementRegion::getArrayRegion() to return the 'typed version' of an ElementRegion's super region. - Removed bogus assertion in ElementRegion::getType() that assumed that the super region was an AnonTypedRegion. All that matters is that it is a TypedRegion, which is now true all the time by design. BasicStore: - Modified getLValueElement() to check if the 'array' region is a TypedRegion before creating an ElementRegion. This conforms to the updated interface for ElementRegion. RegionStore: - In ArrayToPointer() gracefully handle things we don't reason about, and only create an ElementRegion if the array region is indeed a TypedRegion. llvm-svn: 60990
2008-12-14 03:24:37 +08:00
Add ElementRegion to represent memory chunks for array elements. llvm-svn: 57891
2008-10-21 13:27:10 +08:00
llvm::FoldingSetNodeID ID;
Use canonical type for building ElementRegion. Otherwise ElementRegions cannot be unique. llvm-svn: 73482
2009-06-16 17:55:50 +08:00
ElementRegion::ProfileRegion(ID, T, Idx, superRegion);
Add ElementRegion to represent memory chunks for array elements. llvm-svn: 57891
2008-10-21 13:27:10 +08:00
void* InsertPos;
MemRegion* data = Regions.FindNodeOrInsertPos(ID, InsertPos);
ElementRegion* R = cast_or_null<ElementRegion>(data);
if (!R) {
R = (ElementRegion*) A.Allocate<ElementRegion>();
Use canonical type for building ElementRegion. Otherwise ElementRegions cannot be unique. llvm-svn: 73482
2009-06-16 17:55:50 +08:00
new (R) ElementRegion(T, Idx, superRegion);
Add ElementRegion to represent memory chunks for array elements. llvm-svn: 57891
2008-10-21 13:27:10 +08:00
Regions.InsertNode(R, InsertPos);
}
return R;
}
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const FunctionTextRegion *
Split CodeTextRegion into FunctionTextRegion and BlockTextRegion. This a precursor to having basic static analysis support for blocks. llvm-svn: 89828
2009-11-25 09:32:22 +08:00
MemRegionManager::getFunctionTextRegion(const FunctionDecl *FD) {
return getRegion<FunctionTextRegion>(FD);
Add prototype for CodeTextRegion. A CodeTextRegion wraps two kinds of data: FunctionDecl* or SymbolRef. The latter comes from the symbolic function pointer that are generated from function calls or input data. llvm-svn: 68777
2009-04-10 16:45:10 +08:00
}
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const BlockTextRegion *
MemRegionManager::getBlockTextRegion(const BlockDecl *BD, CanQualType locTy) {
Split CodeTextRegion into FunctionTextRegion and BlockTextRegion. This a precursor to having basic static analysis support for blocks. llvm-svn: 89828
2009-11-25 09:32:22 +08:00
return getRegion<BlockTextRegion>(BD, locTy);
}
- constify some uses of MemRegion* (MemRegion should be immutable). - Added new region "SymbolicRegion", which maps symbol values to the region domain. - Enhanced BasicStore::getFieldLValue() to return a FieldRegion (using SymbolicRegion) - Added some utility methods to GRState for fetch svals from the store. - Fixed regression in CheckNSError (we weren't getting the value bound to the parameter) llvm-svn: 57717
2008-10-18 04:28:54 +08:00
/// getSymbolicRegion - Retrieve or create a "symbolic" memory region.
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const SymbolicRegion *MemRegionManager::getSymbolicRegion(SymbolRef sym) {
Refactor some of the logic in MemRegionManager for constructing regions using member template functions and traits. The idea is to allow MemRegionManager to construct subclasses of MemRegion that aren't declared in MemRegion.h (e.g., checker-specific regions). llvm-svn: 73917
2009-06-23 07:13:13 +08:00
return getRegion<SymbolicRegion>(sym);
- constify some uses of MemRegion* (MemRegion should be immutable). - Added new region "SymbolicRegion", which maps symbol values to the region domain. - Enhanced BasicStore::getFieldLValue() to return a FieldRegion (using SymbolicRegion) - Added some utility methods to GRState for fetch svals from the store. - Fixed regression in CheckNSError (we weren't getting the value bound to the parameter) llvm-svn: 57717
2008-10-18 04:28:54 +08:00
}
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const FieldRegion *
MemRegionManager::getFieldRegion(const FieldDecl* d,
const MemRegion* superRegion){
Rename potentially ambiguous member template 'getRegion' to 'getSubRegion' to hopefully resolve template lookup ambiguities on some compilers. llvm-svn: 75253
2009-07-11 00:51:45 +08:00
return getSubRegion<FieldRegion>(d, superRegion);
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
}
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const ObjCIvarRegion*
- constify some uses of MemRegion* (MemRegion should be immutable). - Added new region "SymbolicRegion", which maps symbol values to the region domain. - Enhanced BasicStore::getFieldLValue() to return a FieldRegion (using SymbolicRegion) - Added some utility methods to GRState for fetch svals from the store. - Fixed regression in CheckNSError (we weren't getting the value bound to the parameter) llvm-svn: 57717
2008-10-18 04:28:54 +08:00
MemRegionManager::getObjCIvarRegion(const ObjCIvarDecl* d,
const MemRegion* superRegion) {
Rename potentially ambiguous member template 'getRegion' to 'getSubRegion' to hopefully resolve template lookup ambiguities on some compilers. llvm-svn: 75253
2009-07-11 00:51:45 +08:00
return getSubRegion<ObjCIvarRegion>(d, superRegion);
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
}
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const ObjCObjectRegion*
Added region ObjCObjectRegion that represents an instance of an Objective-C object. llvm-svn: 58106
2008-10-25 04:30:08 +08:00
MemRegionManager::getObjCObjectRegion(const ObjCInterfaceDecl* d,
MemRegionManager: Migrate getObjCObjectRegion() and getTypedViewRegion() to use the new trait-based construction of MemRegion objects. llvm-svn: 73926
2009-06-23 08:04:09 +08:00
const MemRegion* superRegion) {
Rename potentially ambiguous member template 'getRegion' to 'getSubRegion' to hopefully resolve template lookup ambiguities on some compilers. llvm-svn: 75253
2009-07-11 00:51:45 +08:00
return getSubRegion<ObjCObjectRegion>(d, superRegion);
Added region ObjCObjectRegion that represents an instance of an Objective-C object. llvm-svn: 58106
2008-10-25 04:30:08 +08:00
}
constify MemRegion* returned by MemRegionManager::getXXXRegion() methods. llvm-svn: 90503
2009-12-04 08:26:31 +08:00
const AllocaRegion*
MemRegionManager::getAllocaRegion(const Expr* E, unsigned cnt) {
MemRegionManager: Migrate logic for getAllocaRegion() over to using trait-based MemRegion creation. llvm-svn: 73927
2009-06-23 08:15:41 +08:00
return getRegion<AllocaRegion>(E, cnt);
Added AllocaRegion, which represents regions created by calls to alloca(). llvm-svn: 58551
2008-11-02 08:34:33 +08:00
}
- Add MemRegion::getMemorySpace() - Change implementation of MemRegion::hasStackStorage()/hasHeapStorage() to use 'getMemorySpace()'. This avoids a double traversal up the region hierarchy and is simpler. - Add MemRegion::hasHeapOrStackStorage() as a slightly more efficient alternative to 'hasStackStorage() || hasHeapStorage()'. llvm-svn: 73977
2009-06-24 02:17:08 +08:00
const MemSpaceRegion *MemRegion::getMemorySpace() const {
const MemRegion *R = this;
const SubRegion* SR = dyn_cast<SubRegion>(this);
Remove tabs, and whitespace cleanups. llvm-svn: 81346
2009-09-09 23:08:12 +08:00
- constify some uses of MemRegion* (MemRegion should be immutable). - Added new region "SymbolicRegion", which maps symbol values to the region domain. - Enhanced BasicStore::getFieldLValue() to return a FieldRegion (using SymbolicRegion) - Added some utility methods to GRState for fetch svals from the store. - Fixed regression in CheckNSError (we weren't getting the value bound to the parameter) llvm-svn: 57717
2008-10-18 04:28:54 +08:00
while (SR) {
- Add MemRegion::getMemorySpace() - Change implementation of MemRegion::hasStackStorage()/hasHeapStorage() to use 'getMemorySpace()'. This avoids a double traversal up the region hierarchy and is simpler. - Add MemRegion::hasHeapOrStackStorage() as a slightly more efficient alternative to 'hasStackStorage() || hasHeapStorage()'. llvm-svn: 73977
2009-06-24 02:17:08 +08:00
R = SR->getSuperRegion();
SR = dyn_cast<SubRegion>(R);
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
}
Remove tabs, and whitespace cleanups. llvm-svn: 81346
2009-09-09 23:08:12 +08:00
- Add MemRegion::getMemorySpace() - Change implementation of MemRegion::hasStackStorage()/hasHeapStorage() to use 'getMemorySpace()'. This avoids a double traversal up the region hierarchy and is simpler. - Add MemRegion::hasHeapOrStackStorage() as a slightly more efficient alternative to 'hasStackStorage() || hasHeapStorage()'. llvm-svn: 73977
2009-06-24 02:17:08 +08:00
return dyn_cast<MemSpaceRegion>(R);
This is a big patch, but the functionality change is small and the rest of the patch consists of deltas due to API changes. This patch overhauls the "memory region" abstraction that was prototyped (but never really used) as part of the Store.h. This patch adds MemRegion.h and MemRegion.cpp, which defines the class MemRegion and its subclasses. This classes serve to define an abstract representation of memory, with regions being layered on other regions to to capture the relationships between fields and variables, variables and the address space they are allocated in, and so on. The main motivation of this patch is that key parts of the analyzer assumed that all value bindings were to VarDecls. In the future this won't be the case, and this patch removes lval::DeclVal and replaces it with lval::MemRegionVal. Now all pieces of the analyzer must reason about abstract memory blocks instead of just variables. There should be no functionality change from this patch, but it opens the door for significant improvements to the analyzer such as field-sensitivity and object-sensitivity, both which were on hold until the memory abstraction got generalized. The memory region abstraction also allows type-information to literally be affixed to a memory region. This will allow the some now redundant logic to be removed from the retain/release checker. llvm-svn: 57042
2008-10-04 13:50:14 +08:00
}
Implement analyzer support for OSCompareAndSwap. This required pushing "tagged" ProgramPoints all the way through to GRCoreEngine. NSString.m now fails with RegionStoreManager because of the void** cast. Disabling use of region store for that test for now. llvm-svn: 68845
2009-04-11 08:11:10 +08:00
- Add MemRegion::getMemorySpace() - Change implementation of MemRegion::hasStackStorage()/hasHeapStorage() to use 'getMemorySpace()'. This avoids a double traversal up the region hierarchy and is simpler. - Add MemRegion::hasHeapOrStackStorage() as a slightly more efficient alternative to 'hasStackStorage() || hasHeapStorage()'. llvm-svn: 73977
2009-06-24 02:17:08 +08:00
bool MemRegion::hasStackStorage() const {
Add a separate MemSpaceRegion for function/method arguments passed on the stack. This will simplify the logic of StoreManagers that want to specially reason about the values of parameters. llvm-svn: 74715
2009-07-03 02:14:59 +08:00
if (const MemSpaceRegion *MS = getMemorySpace()) {
MemRegionManager *Mgr = getMemRegionManager();
return MS == Mgr->getStackRegion() || MS == Mgr->getStackArgumentsRegion();
}
Remove duplicated methods. llvm-svn: 73940
2009-06-23 10:51:21 +08:00
- Add MemRegion::getMemorySpace() - Change implementation of MemRegion::hasStackStorage()/hasHeapStorage() to use 'getMemorySpace()'. This avoids a double traversal up the region hierarchy and is simpler. - Add MemRegion::hasHeapOrStackStorage() as a slightly more efficient alternative to 'hasStackStorage() || hasHeapStorage()'. llvm-svn: 73977
2009-06-24 02:17:08 +08:00
return false;
}
Remove duplicated methods. llvm-svn: 73940
2009-06-23 10:51:21 +08:00
- Add MemRegion::getMemorySpace() - Change implementation of MemRegion::hasStackStorage()/hasHeapStorage() to use 'getMemorySpace()'. This avoids a double traversal up the region hierarchy and is simpler. - Add MemRegion::hasHeapOrStackStorage() as a slightly more efficient alternative to 'hasStackStorage() || hasHeapStorage()'. llvm-svn: 73977
2009-06-24 02:17:08 +08:00
bool MemRegion::hasHeapStorage() const {
if (const MemSpaceRegion *MS = getMemorySpace())
return MS == getMemRegionManager()->getHeapRegion();
Remove duplicated methods. llvm-svn: 73940
2009-06-23 10:51:21 +08:00
- Add MemRegion::getMemorySpace() - Change implementation of MemRegion::hasStackStorage()/hasHeapStorage() to use 'getMemorySpace()'. This avoids a double traversal up the region hierarchy and is simpler. - Add MemRegion::hasHeapOrStackStorage() as a slightly more efficient alternative to 'hasStackStorage() || hasHeapStorage()'. llvm-svn: 73977
2009-06-24 02:17:08 +08:00
return false;
}
Remove duplicated methods. llvm-svn: 73940
2009-06-23 10:51:21 +08:00
- Add MemRegion::getMemorySpace() - Change implementation of MemRegion::hasStackStorage()/hasHeapStorage() to use 'getMemorySpace()'. This avoids a double traversal up the region hierarchy and is simpler. - Add MemRegion::hasHeapOrStackStorage() as a slightly more efficient alternative to 'hasStackStorage() || hasHeapStorage()'. llvm-svn: 73977
2009-06-24 02:17:08 +08:00
bool MemRegion::hasHeapOrStackStorage() const {
if (const MemSpaceRegion *MS = getMemorySpace()) {
MemRegionManager *Mgr = getMemRegionManager();
Add a separate MemSpaceRegion for function/method arguments passed on the stack. This will simplify the logic of StoreManagers that want to specially reason about the values of parameters. llvm-svn: 74715
2009-07-03 02:14:59 +08:00
return MS == Mgr->getHeapRegion()
|| MS == Mgr->getStackRegion()
|| MS == Mgr->getStackArgumentsRegion();
Remove duplicated methods. llvm-svn: 73940
2009-06-23 10:51:21 +08:00
}
return false;
StoreManagers: Use 'hasGlobalsStorage()' and 'hasParametersStorage()' instead of directly consulting if a VarDecl is an implicit or actual parameter, a global, etc. llvm-svn: 74716
2009-07-03 02:25:09 +08:00
}
bool MemRegion::hasGlobalsStorage() const {
if (const MemSpaceRegion *MS = getMemorySpace())
return MS == getMemRegionManager()->getGlobalsRegion();
return false;
}
Enhance RegionStore to lazily symbolicate fields and array elements for structures passed-by-value as function arguments. llvm-svn: 74729
2009-07-03 06:02:15 +08:00
bool MemRegion::hasParametersStorage() const {
if (const MemSpaceRegion *MS = getMemorySpace())
return MS == getMemRegionManager()->getStackArgumentsRegion();
Remove tabs, and whitespace cleanups. llvm-svn: 81346
2009-09-09 23:08:12 +08:00
Enhance RegionStore to lazily symbolicate fields and array elements for structures passed-by-value as function arguments. llvm-svn: 74729
2009-07-03 06:02:15 +08:00
return false;
}
StoreManagers: Use 'hasGlobalsStorage()' and 'hasParametersStorage()' instead of directly consulting if a VarDecl is an implicit or actual parameter, a global, etc. llvm-svn: 74716
2009-07-03 02:25:09 +08:00
bool MemRegion::hasGlobalsOrParametersStorage() const {
if (const MemSpaceRegion *MS = getMemorySpace()) {
MemRegionManager *Mgr = getMemRegionManager();
return MS == Mgr->getGlobalsRegion()
|| MS == Mgr->getStackArgumentsRegion();
}
return false;
}
Implement analyzer support for OSCompareAndSwap. This required pushing "tagged" ProgramPoints all the way through to GRCoreEngine. NSString.m now fails with RegionStoreManager because of the void** cast. Disabling use of region store for that test for now. llvm-svn: 68845
2009-04-11 08:11:10 +08:00
Refine PointerSubChecker: compare the base region instead of the original region, so that arithmetic within a memory chunk is allowed. llvm-svn: 86652
2009-11-10 10:37:53 +08:00
// getBaseRegion strips away all elements and fields, and get the base region
// of them.
const MemRegion *MemRegion::getBaseRegion() const {
const MemRegion *R = this;
while (true) {
if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
R = ER->getSuperRegion();
continue;
}
if (const FieldRegion *FR = dyn_cast<FieldRegion>(R)) {
R = FR->getSuperRegion();
continue;
}
break;
}
return R;
}
Implement analyzer support for OSCompareAndSwap. This required pushing "tagged" ProgramPoints all the way through to GRCoreEngine. NSString.m now fails with RegionStoreManager because of the void** cast. Disabling use of region store for that test for now. llvm-svn: 68845
2009-04-11 08:11:10 +08:00
//===----------------------------------------------------------------------===//
// View handling.
//===----------------------------------------------------------------------===//
Rename: StripCasts describes what it does better. getBaseRegion will be used in another method. llvm-svn: 86649
2009-11-10 10:17:20 +08:00
const MemRegion *MemRegion::StripCasts() const {
Add 'MemRegion::getBaseRegion()', a utility method to strip ElementRegions with index 0. This will be used for refinements to InvalidateRegion and CastRegion. llvm-svn: 77481
2009-07-30 02:14:27 +08:00
const MemRegion *R = this;
while (true) {
Remove tabs, and whitespace cleanups. llvm-svn: 81346
2009-09-09 23:08:12 +08:00
if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
Add 'MemRegion::getBaseRegion()', a utility method to strip ElementRegions with index 0. This will be used for refinements to InvalidateRegion and CastRegion. llvm-svn: 77481
2009-07-30 02:14:27 +08:00
// FIXME: generalize. Essentially we want to strip away ElementRegions
// that were layered on a symbolic region because of casts. We only
// want to strip away ElementRegions, however, where the index is 0.
SVal index = ER->getIndex();
if (nonloc::ConcreteInt *CI = dyn_cast<nonloc::ConcreteInt>(&index)) {
This is a fairly large patch, which resulted from a cascade of changes made to RegionStore (and related classes) in order to handle some analyzer failures involving casts and manipulation of symbolic memory. The root of the change is in StoreManager::CastRegion(). Instead of using ad hoc heuristics to decide when to layer an ElementRegion on a casted MemRegion, we now always layer an ElementRegion when the cast type is different than the original type of the region. This carries the current cast information associated with a region around without resorting to the error prone recording of "casted types" in GRState. Along with this new policy of layering ElementRegions, I added a new algorithm to strip away existing ElementRegions when they simply represented casts of a base memory object. This algorithm computes the raw "byte offset" that an ElementRegion represents from the base region, and allows the new ElementRegion to be based off that offset. The added benefit is that this naturally handles a series of casts of a MemRegion without building up a set of redundant ElementRegions (thus canonicalizing the region view). Other related changes that cascaded from this one (as tests were failing in RegionStore): - Revamped RegionStoreManager::InvalidateRegion() to completely remove all bindings and default values from a region and all subregions. Now invalidated fields are not bound directly to new symbolic values; instead the base region has a "default" symbol value from which "derived symbols" can be created. The main advantage of this approach is that it allows us to invalidate a region hierarchy and then lazily instantiate new values no matter how deep the hierarchy went (i.e., regardless of the number of field accesses, e.g. x->f->y->z->...). The previous approach did not do this. - Slightly reworked RegionStoreManager::RemoveDeadBindings() to also incorporate live symbols and live regions that do not have direct bindings but also have "default values" used for lazy instantiation. The changes to 'InvalidateRegion' revealed that these were necessary in order to achieve lazy instantiation of values in the region store with those bindings being removed too early. - The changes to InvalidateRegion() and RemoveDeadBindings() revealed a serious bug in 'getSubRegionMap()' where not all region -> subregion relationships involved in actually bindings (explicit and implicit) were being recorded. This has been fixed by using a worklist algorithm to iteratively fill in the region map. - Added special support to RegionStoreManager::Bind()/Retrieve() to handle OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the layering of ElementRegions. - Fixed a bug in SymbolReaper::isLive() where derived symbols were not being marked live if the symbol they were derived from was also live. This fix was critical for getting lazy instantiation in RegionStore to work. - Tidied up the implementation of ValueManager::getXXXSymbolVal() methods to use SymbolManager::canSymbolicate() to decide whether or not a symbol should be symbolicated. - 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been moved to 'test/Analysis/misc-ps.m'. - Tweaked some pretty-printing of MemRegions, and implemented 'ElementRegion::getRawOffset()' for use with the CastRegion changes. llvm-svn: 77782
2009-08-01 14:17:29 +08:00
if (CI->getValue().getSExtValue() == 0) {
Add 'MemRegion::getBaseRegion()', a utility method to strip ElementRegions with index 0. This will be used for refinements to InvalidateRegion and CastRegion. llvm-svn: 77481
2009-07-30 02:14:27 +08:00
R = ER->getSuperRegion();
continue;
}
}
}
break;
}
return R;
}
This is a fairly large patch, which resulted from a cascade of changes made to RegionStore (and related classes) in order to handle some analyzer failures involving casts and manipulation of symbolic memory. The root of the change is in StoreManager::CastRegion(). Instead of using ad hoc heuristics to decide when to layer an ElementRegion on a casted MemRegion, we now always layer an ElementRegion when the cast type is different than the original type of the region. This carries the current cast information associated with a region around without resorting to the error prone recording of "casted types" in GRState. Along with this new policy of layering ElementRegions, I added a new algorithm to strip away existing ElementRegions when they simply represented casts of a base memory object. This algorithm computes the raw "byte offset" that an ElementRegion represents from the base region, and allows the new ElementRegion to be based off that offset. The added benefit is that this naturally handles a series of casts of a MemRegion without building up a set of redundant ElementRegions (thus canonicalizing the region view). Other related changes that cascaded from this one (as tests were failing in RegionStore): - Revamped RegionStoreManager::InvalidateRegion() to completely remove all bindings and default values from a region and all subregions. Now invalidated fields are not bound directly to new symbolic values; instead the base region has a "default" symbol value from which "derived symbols" can be created. The main advantage of this approach is that it allows us to invalidate a region hierarchy and then lazily instantiate new values no matter how deep the hierarchy went (i.e., regardless of the number of field accesses, e.g. x->f->y->z->...). The previous approach did not do this. - Slightly reworked RegionStoreManager::RemoveDeadBindings() to also incorporate live symbols and live regions that do not have direct bindings but also have "default values" used for lazy instantiation. The changes to 'InvalidateRegion' revealed that these were necessary in order to achieve lazy instantiation of values in the region store with those bindings being removed too early. - The changes to InvalidateRegion() and RemoveDeadBindings() revealed a serious bug in 'getSubRegionMap()' where not all region -> subregion relationships involved in actually bindings (explicit and implicit) were being recorded. This has been fixed by using a worklist algorithm to iteratively fill in the region map. - Added special support to RegionStoreManager::Bind()/Retrieve() to handle OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the layering of ElementRegions. - Fixed a bug in SymbolReaper::isLive() where derived symbols were not being marked live if the symbol they were derived from was also live. This fix was critical for getting lazy instantiation in RegionStore to work. - Tidied up the implementation of ValueManager::getXXXSymbolVal() methods to use SymbolManager::canSymbolicate() to decide whether or not a symbol should be symbolicated. - 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been moved to 'test/Analysis/misc-ps.m'. - Tweaked some pretty-printing of MemRegions, and implemented 'ElementRegion::getRawOffset()' for use with the CastRegion changes. llvm-svn: 77782
2009-08-01 14:17:29 +08:00
// FIXME: Merge with the implementation of the same method in Store.cpp
static bool IsCompleteType(ASTContext &Ctx, QualType Ty) {
if (const RecordType *RT = Ty->getAs<RecordType>()) {
const RecordDecl *D = RT->getDecl();
if (!D->getDefinition(Ctx))
return false;
}
return true;
}
RegionRawOffset ElementRegion::getAsRawOffset() const {
int64_t offset = 0;
const ElementRegion *ER = this;
const MemRegion *superR = NULL;
ASTContext &C = getContext();
Remove tabs, and whitespace cleanups. llvm-svn: 81346
2009-09-09 23:08:12 +08:00
This is a fairly large patch, which resulted from a cascade of changes made to RegionStore (and related classes) in order to handle some analyzer failures involving casts and manipulation of symbolic memory. The root of the change is in StoreManager::CastRegion(). Instead of using ad hoc heuristics to decide when to layer an ElementRegion on a casted MemRegion, we now always layer an ElementRegion when the cast type is different than the original type of the region. This carries the current cast information associated with a region around without resorting to the error prone recording of "casted types" in GRState. Along with this new policy of layering ElementRegions, I added a new algorithm to strip away existing ElementRegions when they simply represented casts of a base memory object. This algorithm computes the raw "byte offset" that an ElementRegion represents from the base region, and allows the new ElementRegion to be based off that offset. The added benefit is that this naturally handles a series of casts of a MemRegion without building up a set of redundant ElementRegions (thus canonicalizing the region view). Other related changes that cascaded from this one (as tests were failing in RegionStore): - Revamped RegionStoreManager::InvalidateRegion() to completely remove all bindings and default values from a region and all subregions. Now invalidated fields are not bound directly to new symbolic values; instead the base region has a "default" symbol value from which "derived symbols" can be created. The main advantage of this approach is that it allows us to invalidate a region hierarchy and then lazily instantiate new values no matter how deep the hierarchy went (i.e., regardless of the number of field accesses, e.g. x->f->y->z->...). The previous approach did not do this. - Slightly reworked RegionStoreManager::RemoveDeadBindings() to also incorporate live symbols and live regions that do not have direct bindings but also have "default values" used for lazy instantiation. The changes to 'InvalidateRegion' revealed that these were necessary in order to achieve lazy instantiation of values in the region store with those bindings being removed too early. - The changes to InvalidateRegion() and RemoveDeadBindings() revealed a serious bug in 'getSubRegionMap()' where not all region -> subregion relationships involved in actually bindings (explicit and implicit) were being recorded. This has been fixed by using a worklist algorithm to iteratively fill in the region map. - Added special support to RegionStoreManager::Bind()/Retrieve() to handle OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the layering of ElementRegions. - Fixed a bug in SymbolReaper::isLive() where derived symbols were not being marked live if the symbol they were derived from was also live. This fix was critical for getting lazy instantiation in RegionStore to work. - Tidied up the implementation of ValueManager::getXXXSymbolVal() methods to use SymbolManager::canSymbolicate() to decide whether or not a symbol should be symbolicated. - 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been moved to 'test/Analysis/misc-ps.m'. - Tweaked some pretty-printing of MemRegions, and implemented 'ElementRegion::getRawOffset()' for use with the CastRegion changes. llvm-svn: 77782
2009-08-01 14:17:29 +08:00
// FIXME: Handle multi-dimensional arrays.
while (ER) {
superR = ER->getSuperRegion();
Remove tabs, and whitespace cleanups. llvm-svn: 81346
2009-09-09 23:08:12 +08:00
This is a fairly large patch, which resulted from a cascade of changes made to RegionStore (and related classes) in order to handle some analyzer failures involving casts and manipulation of symbolic memory. The root of the change is in StoreManager::CastRegion(). Instead of using ad hoc heuristics to decide when to layer an ElementRegion on a casted MemRegion, we now always layer an ElementRegion when the cast type is different than the original type of the region. This carries the current cast information associated with a region around without resorting to the error prone recording of "casted types" in GRState. Along with this new policy of layering ElementRegions, I added a new algorithm to strip away existing ElementRegions when they simply represented casts of a base memory object. This algorithm computes the raw "byte offset" that an ElementRegion represents from the base region, and allows the new ElementRegion to be based off that offset. The added benefit is that this naturally handles a series of casts of a MemRegion without building up a set of redundant ElementRegions (thus canonicalizing the region view). Other related changes that cascaded from this one (as tests were failing in RegionStore): - Revamped RegionStoreManager::InvalidateRegion() to completely remove all bindings and default values from a region and all subregions. Now invalidated fields are not bound directly to new symbolic values; instead the base region has a "default" symbol value from which "derived symbols" can be created. The main advantage of this approach is that it allows us to invalidate a region hierarchy and then lazily instantiate new values no matter how deep the hierarchy went (i.e., regardless of the number of field accesses, e.g. x->f->y->z->...). The previous approach did not do this. - Slightly reworked RegionStoreManager::RemoveDeadBindings() to also incorporate live symbols and live regions that do not have direct bindings but also have "default values" used for lazy instantiation. The changes to 'InvalidateRegion' revealed that these were necessary in order to achieve lazy instantiation of values in the region store with those bindings being removed too early. - The changes to InvalidateRegion() and RemoveDeadBindings() revealed a serious bug in 'getSubRegionMap()' where not all region -> subregion relationships involved in actually bindings (explicit and implicit) were being recorded. This has been fixed by using a worklist algorithm to iteratively fill in the region map. - Added special support to RegionStoreManager::Bind()/Retrieve() to handle OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the layering of ElementRegions. - Fixed a bug in SymbolReaper::isLive() where derived symbols were not being marked live if the symbol they were derived from was also live. This fix was critical for getting lazy instantiation in RegionStore to work. - Tidied up the implementation of ValueManager::getXXXSymbolVal() methods to use SymbolManager::canSymbolicate() to decide whether or not a symbol should be symbolicated. - 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been moved to 'test/Analysis/misc-ps.m'. - Tweaked some pretty-printing of MemRegions, and implemented 'ElementRegion::getRawOffset()' for use with the CastRegion changes. llvm-svn: 77782
2009-08-01 14:17:29 +08:00
// FIXME: generalize to symbolic offsets.
SVal index = ER->getIndex();
if (nonloc::ConcreteInt *CI = dyn_cast<nonloc::ConcreteInt>(&index)) {
// Update the offset.
int64_t i = CI->getValue().getSExtValue();
Remove tabs, and whitespace cleanups. llvm-svn: 81346
2009-09-09 23:08:12 +08:00
This is a fairly large patch, which resulted from a cascade of changes made to RegionStore (and related classes) in order to handle some analyzer failures involving casts and manipulation of symbolic memory. The root of the change is in StoreManager::CastRegion(). Instead of using ad hoc heuristics to decide when to layer an ElementRegion on a casted MemRegion, we now always layer an ElementRegion when the cast type is different than the original type of the region. This carries the current cast information associated with a region around without resorting to the error prone recording of "casted types" in GRState. Along with this new policy of layering ElementRegions, I added a new algorithm to strip away existing ElementRegions when they simply represented casts of a base memory object. This algorithm computes the raw "byte offset" that an ElementRegion represents from the base region, and allows the new ElementRegion to be based off that offset. The added benefit is that this naturally handles a series of casts of a MemRegion without building up a set of redundant ElementRegions (thus canonicalizing the region view). Other related changes that cascaded from this one (as tests were failing in RegionStore): - Revamped RegionStoreManager::InvalidateRegion() to completely remove all bindings and default values from a region and all subregions. Now invalidated fields are not bound directly to new symbolic values; instead the base region has a "default" symbol value from which "derived symbols" can be created. The main advantage of this approach is that it allows us to invalidate a region hierarchy and then lazily instantiate new values no matter how deep the hierarchy went (i.e., regardless of the number of field accesses, e.g. x->f->y->z->...). The previous approach did not do this. - Slightly reworked RegionStoreManager::RemoveDeadBindings() to also incorporate live symbols and live regions that do not have direct bindings but also have "default values" used for lazy instantiation. The changes to 'InvalidateRegion' revealed that these were necessary in order to achieve lazy instantiation of values in the region store with those bindings being removed too early. - The changes to InvalidateRegion() and RemoveDeadBindings() revealed a serious bug in 'getSubRegionMap()' where not all region -> subregion relationships involved in actually bindings (explicit and implicit) were being recorded. This has been fixed by using a worklist algorithm to iteratively fill in the region map. - Added special support to RegionStoreManager::Bind()/Retrieve() to handle OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the layering of ElementRegions. - Fixed a bug in SymbolReaper::isLive() where derived symbols were not being marked live if the symbol they were derived from was also live. This fix was critical for getting lazy instantiation in RegionStore to work. - Tidied up the implementation of ValueManager::getXXXSymbolVal() methods to use SymbolManager::canSymbolicate() to decide whether or not a symbol should be symbolicated. - 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been moved to 'test/Analysis/misc-ps.m'. - Tweaked some pretty-printing of MemRegions, and implemented 'ElementRegion::getRawOffset()' for use with the CastRegion changes. llvm-svn: 77782
2009-08-01 14:17:29 +08:00
if (i != 0) {
QualType elemType = ER->getElementType();
Remove tabs, and whitespace cleanups. llvm-svn: 81346
2009-09-09 23:08:12 +08:00
This is a fairly large patch, which resulted from a cascade of changes made to RegionStore (and related classes) in order to handle some analyzer failures involving casts and manipulation of symbolic memory. The root of the change is in StoreManager::CastRegion(). Instead of using ad hoc heuristics to decide when to layer an ElementRegion on a casted MemRegion, we now always layer an ElementRegion when the cast type is different than the original type of the region. This carries the current cast information associated with a region around without resorting to the error prone recording of "casted types" in GRState. Along with this new policy of layering ElementRegions, I added a new algorithm to strip away existing ElementRegions when they simply represented casts of a base memory object. This algorithm computes the raw "byte offset" that an ElementRegion represents from the base region, and allows the new ElementRegion to be based off that offset. The added benefit is that this naturally handles a series of casts of a MemRegion without building up a set of redundant ElementRegions (thus canonicalizing the region view). Other related changes that cascaded from this one (as tests were failing in RegionStore): - Revamped RegionStoreManager::InvalidateRegion() to completely remove all bindings and default values from a region and all subregions. Now invalidated fields are not bound directly to new symbolic values; instead the base region has a "default" symbol value from which "derived symbols" can be created. The main advantage of this approach is that it allows us to invalidate a region hierarchy and then lazily instantiate new values no matter how deep the hierarchy went (i.e., regardless of the number of field accesses, e.g. x->f->y->z->...). The previous approach did not do this. - Slightly reworked RegionStoreManager::RemoveDeadBindings() to also incorporate live symbols and live regions that do not have direct bindings but also have "default values" used for lazy instantiation. The changes to 'InvalidateRegion' revealed that these were necessary in order to achieve lazy instantiation of values in the region store with those bindings being removed too early. - The changes to InvalidateRegion() and RemoveDeadBindings() revealed a serious bug in 'getSubRegionMap()' where not all region -> subregion relationships involved in actually bindings (explicit and implicit) were being recorded. This has been fixed by using a worklist algorithm to iteratively fill in the region map. - Added special support to RegionStoreManager::Bind()/Retrieve() to handle OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the layering of ElementRegions. - Fixed a bug in SymbolReaper::isLive() where derived symbols were not being marked live if the symbol they were derived from was also live. This fix was critical for getting lazy instantiation in RegionStore to work. - Tidied up the implementation of ValueManager::getXXXSymbolVal() methods to use SymbolManager::canSymbolicate() to decide whether or not a symbol should be symbolicated. - 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been moved to 'test/Analysis/misc-ps.m'. - Tweaked some pretty-printing of MemRegions, and implemented 'ElementRegion::getRawOffset()' for use with the CastRegion changes. llvm-svn: 77782
2009-08-01 14:17:29 +08:00
// If we are pointing to an incomplete type, go no further.
if (!IsCompleteType(C, elemType)) {
superR = ER;
break;
}
Remove tabs, and whitespace cleanups. llvm-svn: 81346
2009-09-09 23:08:12 +08:00
This is a fairly large patch, which resulted from a cascade of changes made to RegionStore (and related classes) in order to handle some analyzer failures involving casts and manipulation of symbolic memory. The root of the change is in StoreManager::CastRegion(). Instead of using ad hoc heuristics to decide when to layer an ElementRegion on a casted MemRegion, we now always layer an ElementRegion when the cast type is different than the original type of the region. This carries the current cast information associated with a region around without resorting to the error prone recording of "casted types" in GRState. Along with this new policy of layering ElementRegions, I added a new algorithm to strip away existing ElementRegions when they simply represented casts of a base memory object. This algorithm computes the raw "byte offset" that an ElementRegion represents from the base region, and allows the new ElementRegion to be based off that offset. The added benefit is that this naturally handles a series of casts of a MemRegion without building up a set of redundant ElementRegions (thus canonicalizing the region view). Other related changes that cascaded from this one (as tests were failing in RegionStore): - Revamped RegionStoreManager::InvalidateRegion() to completely remove all bindings and default values from a region and all subregions. Now invalidated fields are not bound directly to new symbolic values; instead the base region has a "default" symbol value from which "derived symbols" can be created. The main advantage of this approach is that it allows us to invalidate a region hierarchy and then lazily instantiate new values no matter how deep the hierarchy went (i.e., regardless of the number of field accesses, e.g. x->f->y->z->...). The previous approach did not do this. - Slightly reworked RegionStoreManager::RemoveDeadBindings() to also incorporate live symbols and live regions that do not have direct bindings but also have "default values" used for lazy instantiation. The changes to 'InvalidateRegion' revealed that these were necessary in order to achieve lazy instantiation of values in the region store with those bindings being removed too early. - The changes to InvalidateRegion() and RemoveDeadBindings() revealed a serious bug in 'getSubRegionMap()' where not all region -> subregion relationships involved in actually bindings (explicit and implicit) were being recorded. This has been fixed by using a worklist algorithm to iteratively fill in the region map. - Added special support to RegionStoreManager::Bind()/Retrieve() to handle OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the layering of ElementRegions. - Fixed a bug in SymbolReaper::isLive() where derived symbols were not being marked live if the symbol they were derived from was also live. This fix was critical for getting lazy instantiation in RegionStore to work. - Tidied up the implementation of ValueManager::getXXXSymbolVal() methods to use SymbolManager::canSymbolicate() to decide whether or not a symbol should be symbolicated. - 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been moved to 'test/Analysis/misc-ps.m'. - Tweaked some pretty-printing of MemRegions, and implemented 'ElementRegion::getRawOffset()' for use with the CastRegion changes. llvm-svn: 77782
2009-08-01 14:17:29 +08:00
int64_t size = (int64_t) (C.getTypeSize(elemType) / 8);
offset += (i * size);
}
// Go to the next ElementRegion (if any).
ER = dyn_cast<ElementRegion>(superR);
continue;
}
Remove tabs, and whitespace cleanups. llvm-svn: 81346
2009-09-09 23:08:12 +08:00
This is a fairly large patch, which resulted from a cascade of changes made to RegionStore (and related classes) in order to handle some analyzer failures involving casts and manipulation of symbolic memory. The root of the change is in StoreManager::CastRegion(). Instead of using ad hoc heuristics to decide when to layer an ElementRegion on a casted MemRegion, we now always layer an ElementRegion when the cast type is different than the original type of the region. This carries the current cast information associated with a region around without resorting to the error prone recording of "casted types" in GRState. Along with this new policy of layering ElementRegions, I added a new algorithm to strip away existing ElementRegions when they simply represented casts of a base memory object. This algorithm computes the raw "byte offset" that an ElementRegion represents from the base region, and allows the new ElementRegion to be based off that offset. The added benefit is that this naturally handles a series of casts of a MemRegion without building up a set of redundant ElementRegions (thus canonicalizing the region view). Other related changes that cascaded from this one (as tests were failing in RegionStore): - Revamped RegionStoreManager::InvalidateRegion() to completely remove all bindings and default values from a region and all subregions. Now invalidated fields are not bound directly to new symbolic values; instead the base region has a "default" symbol value from which "derived symbols" can be created. The main advantage of this approach is that it allows us to invalidate a region hierarchy and then lazily instantiate new values no matter how deep the hierarchy went (i.e., regardless of the number of field accesses, e.g. x->f->y->z->...). The previous approach did not do this. - Slightly reworked RegionStoreManager::RemoveDeadBindings() to also incorporate live symbols and live regions that do not have direct bindings but also have "default values" used for lazy instantiation. The changes to 'InvalidateRegion' revealed that these were necessary in order to achieve lazy instantiation of values in the region store with those bindings being removed too early. - The changes to InvalidateRegion() and RemoveDeadBindings() revealed a serious bug in 'getSubRegionMap()' where not all region -> subregion relationships involved in actually bindings (explicit and implicit) were being recorded. This has been fixed by using a worklist algorithm to iteratively fill in the region map. - Added special support to RegionStoreManager::Bind()/Retrieve() to handle OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the layering of ElementRegions. - Fixed a bug in SymbolReaper::isLive() where derived symbols were not being marked live if the symbol they were derived from was also live. This fix was critical for getting lazy instantiation in RegionStore to work. - Tidied up the implementation of ValueManager::getXXXSymbolVal() methods to use SymbolManager::canSymbolicate() to decide whether or not a symbol should be symbolicated. - 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been moved to 'test/Analysis/misc-ps.m'. - Tweaked some pretty-printing of MemRegions, and implemented 'ElementRegion::getRawOffset()' for use with the CastRegion changes. llvm-svn: 77782
2009-08-01 14:17:29 +08:00
return NULL;
}
Remove tabs, and whitespace cleanups. llvm-svn: 81346
2009-09-09 23:08:12 +08:00
This is a fairly large patch, which resulted from a cascade of changes made to RegionStore (and related classes) in order to handle some analyzer failures involving casts and manipulation of symbolic memory. The root of the change is in StoreManager::CastRegion(). Instead of using ad hoc heuristics to decide when to layer an ElementRegion on a casted MemRegion, we now always layer an ElementRegion when the cast type is different than the original type of the region. This carries the current cast information associated with a region around without resorting to the error prone recording of "casted types" in GRState. Along with this new policy of layering ElementRegions, I added a new algorithm to strip away existing ElementRegions when they simply represented casts of a base memory object. This algorithm computes the raw "byte offset" that an ElementRegion represents from the base region, and allows the new ElementRegion to be based off that offset. The added benefit is that this naturally handles a series of casts of a MemRegion without building up a set of redundant ElementRegions (thus canonicalizing the region view). Other related changes that cascaded from this one (as tests were failing in RegionStore): - Revamped RegionStoreManager::InvalidateRegion() to completely remove all bindings and default values from a region and all subregions. Now invalidated fields are not bound directly to new symbolic values; instead the base region has a "default" symbol value from which "derived symbols" can be created. The main advantage of this approach is that it allows us to invalidate a region hierarchy and then lazily instantiate new values no matter how deep the hierarchy went (i.e., regardless of the number of field accesses, e.g. x->f->y->z->...). The previous approach did not do this. - Slightly reworked RegionStoreManager::RemoveDeadBindings() to also incorporate live symbols and live regions that do not have direct bindings but also have "default values" used for lazy instantiation. The changes to 'InvalidateRegion' revealed that these were necessary in order to achieve lazy instantiation of values in the region store with those bindings being removed too early. - The changes to InvalidateRegion() and RemoveDeadBindings() revealed a serious bug in 'getSubRegionMap()' where not all region -> subregion relationships involved in actually bindings (explicit and implicit) were being recorded. This has been fixed by using a worklist algorithm to iteratively fill in the region map. - Added special support to RegionStoreManager::Bind()/Retrieve() to handle OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the layering of ElementRegions. - Fixed a bug in SymbolReaper::isLive() where derived symbols were not being marked live if the symbol they were derived from was also live. This fix was critical for getting lazy instantiation in RegionStore to work. - Tidied up the implementation of ValueManager::getXXXSymbolVal() methods to use SymbolManager::canSymbolicate() to decide whether or not a symbol should be symbolicated. - 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been moved to 'test/Analysis/misc-ps.m'. - Tweaked some pretty-printing of MemRegions, and implemented 'ElementRegion::getRawOffset()' for use with the CastRegion changes. llvm-svn: 77782
2009-08-01 14:17:29 +08:00
assert(superR && "super region cannot be NULL");
return RegionRawOffset(superR, offset);
}
Add iterators to BlockDataRegion that allow clients to iterate over the VarRegions for "captured" variables for a block. llvm-svn: 89927
2009-11-26 10:34:36 +08:00
//===----------------------------------------------------------------------===//
// BlockDataRegion
//===----------------------------------------------------------------------===//
void BlockDataRegion::LazyInitializeReferencedVars() {
if (ReferencedVars)
return;
AnalysisContext *AC = LC->getAnalysisContext();
AnalysisContext::referenced_decls_iterator I, E;
llvm::tie(I, E) = AC->getReferencedBlockVars(BC->getDecl());
if (I == E) {
ReferencedVars = (void*) 0x1;
return;
}
MemRegionManager &MemMgr = *getMemRegionManager();
llvm::BumpPtrAllocator &A = MemMgr.getAllocator();
BumpVectorContext BC(A);
typedef BumpVector<const MemRegion*> VarVec;
VarVec *BV = (VarVec*) A.Allocate<VarVec>();
Provide the correct vector size for referenced variables. llvm-svn: 90267
2009-12-02 06:12:34 +08:00
new (BV) VarVec(BC, E - I);
Add iterators to BlockDataRegion that allow clients to iterate over the VarRegions for "captured" variables for a block. llvm-svn: 89927
2009-11-26 10:34:36 +08:00
for ( ; I != E; ++I)
BV->push_back(MemMgr.getVarRegion(*I, LC), BC);
ReferencedVars = BV;
}
BlockDataRegion::referenced_vars_iterator
BlockDataRegion::referenced_vars_begin() const {
const_cast<BlockDataRegion*>(this)->LazyInitializeReferencedVars();
BumpVector<const MemRegion*> *Vec =
static_cast<BumpVector<const MemRegion*>*>(ReferencedVars);
Make BlockDataRegion::referenced_vars_iterator an actual class that enforces that all MemRegions iterated over are VarRegions. llvm-svn: 90430
2009-12-03 16:09:21 +08:00
return BlockDataRegion::referenced_vars_iterator(Vec == (void*) 0x1 ?
NULL : Vec->begin());
Add iterators to BlockDataRegion that allow clients to iterate over the VarRegions for "captured" variables for a block. llvm-svn: 89927
2009-11-26 10:34:36 +08:00
}
BlockDataRegion::referenced_vars_iterator
BlockDataRegion::referenced_vars_end() const {
const_cast<BlockDataRegion*>(this)->LazyInitializeReferencedVars();
BumpVector<const MemRegion*> *Vec =
static_cast<BumpVector<const MemRegion*>*>(ReferencedVars);
Make BlockDataRegion::referenced_vars_iterator an actual class that enforces that all MemRegions iterated over are VarRegions. llvm-svn: 90430
2009-12-03 16:09:21 +08:00
return BlockDataRegion::referenced_vars_iterator(Vec == (void*) 0x1 ?
NULL : Vec->end());
Add iterators to BlockDataRegion that allow clients to iterate over the VarRegions for "captured" variables for a block. llvm-svn: 89927
2009-11-26 10:34:36 +08:00
}