Add a boilerplate for out-of-bound array checking. This has no real function currently.

llvm-svn: 58886
2008-11-08 03:45:42 +00:00 · 2008-11-08 03:45:42 +00:00 · 3d43015bc7
parent 06ad209fb1
commit 3d43015bc7
3 changed files with 36 additions and 1 deletions
--- a/clang/include/clang/Analysis/PathSensitive/GRExprEngine.h
+++ b/clang/include/clang/Analysis/PathSensitive/GRExprEngine.h
@ -455,6 +455,15 @@ protected:
    return StateMgr.Assume(St, Cond, Assumption, isFeasible);
  }

+  const GRState* AssumeInBound(const GRState* St, SVal Idx, SVal UpperBound,
+                               bool Assumption, bool& isFeasible) {
+    // FIXME: In this function, we will check if Idx can be in/out 
+    // [0, UpperBound) according to the assumption.  We can extend the 
+    // interface to include a LowerBound parameter.
+    isFeasible = true;
+    return St;
+  }
+
  NodeTy* MakeNode(NodeSet& Dst, Stmt* S, NodeTy* Pred, const GRState* St,
                   ProgramPoint::Kind K = ProgramPoint::PostStmtKind) {
    assert (Builder && "GRStmtNodeBuilder not present.");
--- a/clang/include/clang/Analysis/PathSensitive/Store.h
+++ b/clang/include/clang/Analysis/PathSensitive/Store.h
@ -72,7 +72,11 @@ public:
                              const FieldDecl* D) = 0;
  
  virtual SVal getLValueElement(const GRState* St, SVal Base, SVal Offset) = 0;
-  
+
+  virtual SVal getSizeInElements(const GRState* St, const MemRegion* R) {
+    return UnknownVal();
+  }
+
  /// ArrayToPointer - Used by GRExprEngine::VistCast to handle implicit
  ///  conversions between arrays and pointers.
  virtual SVal ArrayToPointer(SVal Array) = 0;
--- a/clang/lib/Analysis/GRExprEngine.cpp
+++ b/clang/lib/Analysis/GRExprEngine.cpp
@ -1067,6 +1067,28 @@ const GRState* GRExprEngine::EvalLocation(Expr* Ex, NodeTy* Pred,
      else ExplicitNullDeref.insert(NullNode);
    }
  }
+
+  // Check for out-of-bound array access.
+  if (isFeasibleNotNull && isa<loc::MemRegionVal>(LV)) {
+    const MemRegion* R = cast<loc::MemRegionVal>(LV).getRegion();
+    if (const ElementRegion* ER = dyn_cast<ElementRegion>(R)) {
+      // Get the index of the accessed element.
+      SVal Idx = ER->getIndex();
+      // Get the extent of the array.
+      SVal NumElements = StateMgr.getStoreManager().getSizeInElements(StNotNull,
+                                                       ER->getSuperRegion());
+
+      bool isFeasibleInBound = false;
+      const GRState* StInBound = AssumeInBound(StNotNull, Idx, NumElements, 
+                                               true, isFeasibleInBound);
+
+      bool isFeasibleOutBound = false;
+      const GRState* StOutBound = AssumeInBound(StNotNull, Idx, NumElements, 
+                                                false, isFeasibleOutBound);
+
+      // Report warnings ...
+    }
+  }
  
  return isFeasibleNotNull ? StNotNull : NULL;
 }