Commit Graph

222 Commits

Author SHA1 Message Date
Ted Kremenek 0bb32e3e5d Handle disgusting corner case where a byte is loaded from the address of a function.
llvm-svn: 78000
2009-08-03 21:41:46 +00:00
Ted Kremenek ca7935d347 Remove RegionViews and RegionCasts. These are no longer used.
llvm-svn: 77876
2009-08-02 05:15:23 +00:00
Ted Kremenek f106ab91ff RegionStoreManager::RemoveDeadBindings() now removes dead 'default' bindings as well.
llvm-svn: 77875
2009-08-02 05:00:15 +00:00
Ted Kremenek cee28a4c4d Generalize the interface of 'StoreManager::RemoveDeadBindings()' to manipulate the entire GRState, not just the Store.
llvm-svn: 77870
2009-08-02 04:45:08 +00:00
Ted Kremenek 1f22aa7433 This is a fairly large patch, which resulted from a cascade of changes
made to RegionStore (and related classes) in order to handle some
analyzer failures involving casts and manipulation of symbolic memory.

The root of the change is in StoreManager::CastRegion().  Instead of
using ad hoc heuristics to decide when to layer an ElementRegion on a
casted MemRegion, we now always layer an ElementRegion when the cast
type is different than the original type of the region.  This carries
the current cast information associated with a region around without
resorting to the error prone recording of "casted types" in GRState.

Along with this new policy of layering ElementRegions, I added a new
algorithm to strip away existing ElementRegions when they simply
represented casts of a base memory object.  This algorithm computes
the raw "byte offset" that an ElementRegion represents from the base
region, and allows the new ElementRegion to be based off that offset.
The added benefit is that this naturally handles a series of casts of
a MemRegion without building up a set of redundant ElementRegions
(thus canonicalizing the region view).

Other related changes that cascaded from this one (as tests were
failing in RegionStore):

- Revamped RegionStoreManager::InvalidateRegion() to completely remove
  all bindings and default values from a region and all subregions.
  Now invalidated fields are not bound directly to new symbolic
  values; instead the base region has a "default" symbol value from
  which "derived symbols" can be created.  The main advantage of this
  approach is that it allows us to invalidate a region hierarchy and
  then lazily instantiate new values no matter how deep the hierarchy
  went (i.e., regardless of the number of field accesses,
  e.g. x->f->y->z->...).  The previous approach did not do this.

- Slightly reworked RegionStoreManager::RemoveDeadBindings() to also
  incorporate live symbols and live regions that do not have direct
  bindings but also have "default values" used for lazy instantiation.
  The changes to 'InvalidateRegion' revealed that these were necessary
  in order to achieve lazy instantiation of values in the region store
  with those bindings being removed too early.

- The changes to InvalidateRegion() and RemoveDeadBindings() revealed
  a serious bug in 'getSubRegionMap()' where not all region -> subregion
  relationships involved in actually bindings (explicit and implicit)
  were being recorded.  This has been fixed by using a worklist algorithm
  to iteratively fill in the region map.

- Added special support to RegionStoreManager::Bind()/Retrieve() to handle
  OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the
  layering of ElementRegions.

- Fixed a bug in SymbolReaper::isLive() where derived symbols were not
  being marked live if the symbol they were derived from was also live.
  This fix was critical for getting lazy instantiation in RegionStore
  to work.

- Tidied up the implementation of ValueManager::getXXXSymbolVal() methods
  to use SymbolManager::canSymbolicate() to decide whether or not a
  symbol should be symbolicated.

- 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been
  moved to 'test/Analysis/misc-ps.m'.

- Tweaked some pretty-printing of MemRegions, and implemented
  'ElementRegion::getRawOffset()' for use with the CastRegion changes.

llvm-svn: 77782
2009-08-01 06:17:29 +00:00
Ted Kremenek c23c7e6a51 Change uses of:
Type::getAsReferenceType() -> Type::getAs<ReferenceType>()
  Type::getAsRecordType() -> Type::getAs<RecordType>()
  Type::getAsPointerType() -> Type::getAs<PointerType>()
  Type::getAsBlockPointerType() -> Type::getAs<BlockPointerType>()
  Type::getAsLValueReferenceType() -> Type::getAs<LValueReferenceType>()
  Type::getAsRValueReferenceType() -> Type::getAs<RValueReferenceType>()
  Type::getAsMemberPointerType() -> Type::getAs<MemberPointerType>()
  Type::getAsReferenceType() -> Type::getAs<ReferenceType>()
  Type::getAsTagType() -> Type::getAs<TagType>()
  
And remove Type::getAsReferenceType(), etc.

This change is similar to one I made a couple weeks ago, but that was partly
reverted pending some additional design discussion. With Doug's pending smart
pointer changes for Types, it seemed natural to take this approach.

llvm-svn: 77510
2009-07-29 21:53:49 +00:00
Ted Kremenek 4301526e8d Remove 'StoreManager::OldCastRegion()', TypedViewRegion (which only
OldCastRegion used), and the associated command line option
'-analyzer-store=old-basic-cast'.

llvm-svn: 77509
2009-07-29 21:43:22 +00:00
Ted Kremenek bca70671e7 Make StoreManager::InvalidateRegion() virtual, move the current implementation
in StoreManager to RegionStoreManager, and create a special, highly reduced
version in BasicStoreManager.

These changes are in preparation for future RegionStore-specific changes to
InvalidateRegion.

llvm-svn: 77483
2009-07-29 18:16:25 +00:00
Ted Kremenek 920ad71dab Temporarily disable most use of region casts in RegionStoreManager,
instead preferring to use the a region's actual type when creating
symbols and using the QualType passed to Retrieve for implicit
casting.  This preprocessor logic is temporary; eventually we will
either remove region casts or keep them.

Temporarily toggle (via preprocessor directives) that SymbolicRegions
with heap storage are not undefined, but instead should be
symbolicated.  If we want to model that a SymbolicRegion is
uninitialized, we can explicitly model that by binding UndefinedVal to
that region.  It turns out that we want to treat most heap objects as
being defined, not the other way around.

llvm-svn: 76720
2009-07-22 04:35:42 +00:00
Ted Kremenek ac7c7240f0 Fix PR 4594 by refactoring almost all casting logic from GRExprEngine::VisitCast
to SValuator::EvalCast. In the process, the StoreManagers now use this new cast
machinery, and the hack in GRExprEngine::EvalBind to handle implicit casts
involving OSAtomicCompareAndSwap and friends has been removed (and replaced with
logic closer to the logic specific to those functions).

llvm-svn: 76641
2009-07-21 21:03:30 +00:00
Ted Kremenek fe12f88924 RegionStore:
-refactor logic for retrieving bindings from VarDecls into
 RegionStoreManager::RetrieveVar()
- improve RegionStoreManager::CastRetrievedVal() and SimpleSValuate::EvalCastNL
  to better handle casts of values of the same canonical type as well as
  casts of LocAsInteger values.

llvm-svn: 76516
2009-07-21 00:12:07 +00:00
Ted Kremenek 834e2f69da Enhanced IsReinterpreted() (RegionStore.cpp) to reason about higher-order
pointers.

Enhanced RegionStoreManager::Retrieve() to handle automatic casts when the
loaded value is different from the requested value. This should be refined over
time, but essentially we should always symbolicate locations as locations, and
convert them to non-locations on demand.

These changes now cause 'misc-ps.m' to pass again.

llvm-svn: 76497
2009-07-20 22:58:02 +00:00
Ted Kremenek 8a286fbdb9 Per offline discussion with Steve Naroff, add back Type::getAsXXXType() methods
until Doug Gregor's Type smart pointer code lands (or more discussion occurs).
These methods just call the new Type::getAs<XXX> methods, so we still have
reduced implementation redundancy. Having explicit getAsXXXType() methods makes
it easier to set breakpoints in the debugger.

llvm-svn: 76193
2009-07-17 17:50:17 +00:00
Ted Kremenek b825c0ddc5 Replaced Type::getAsLValueReferenceType(), Type::getAsRValueReferenceType(), Type::getAsMemberPointerType(), Type::getAsTagType(), and Type::getAsRecordType() with their Type::getAs<XXX> equivalents.
llvm-svn: 76139
2009-07-17 01:20:38 +00:00
Ted Kremenek e3fb4b6524 Add member template 'Type::getAs<T>', which converts a Type* to a respective T*.
This method is intended to eventually replace the individual
Type::getAsXXXType<> methods.

The motivation behind this change is twofold:

1) Reduce redundant implementations of Type::getAsXXXType() methods. Most of
them are basically copy-and-paste.

2) By centralizing the implementation of the getAs<Type> logic we can more
smoothly move over to Doug Gregor's proposed canonical type smart pointer
scheme.

Along with this patch:

a) Removed 'Type::getAsPointerType()'; now clients use getAs<PointerType>.
b) Removed 'Type::getAsBlockPointerTypE()'; now clients use getAs<BlockPointerType>.

llvm-svn: 76098
2009-07-16 19:58:26 +00:00
Ted Kremenek c7b1dade86 Move RegionStoreManager over to using new
ValueManager::makeArrayIndex()/convertArrayIndex() methods.  This
handles yet another crash case when reasoning about array indices of
different bitwidth and signedness.

llvm-svn: 75884
2009-07-16 01:33:37 +00:00
Ted Kremenek ccc22924b0 Use utility method to create 0-index into ElementRegion.
llvm-svn: 75865
2009-07-16 00:00:11 +00:00
Ted Kremenek 4802955b84 Enhance RegionStore's reasoning about Objective-C ivars. More testing to follow.
llvm-svn: 75748
2009-07-15 06:09:28 +00:00
Zhongxing Xu b5bf7ee393 Use utility method.
llvm-svn: 75745
2009-07-15 05:09:24 +00:00
Ted Kremenek 57fa7e3cc8 Relax assertion.
llvm-svn: 75738
2009-07-15 04:23:32 +00:00
Ted Kremenek e6fea68c46 More test cases revealed that the logic in StoreManager::InvalidateRegion() needs more finesse when handling the invalidation of pointers. Pointers that were invalidated as integers could later cause problems for clients using them as pointers. It is easier for us to model a symbolic value as a pointer rather than modeling a non-symbolic value as a pointer.
This patch causes:
- StoreManager::InvalidateRegion() to not used the casted type of a region if
  it would cause a pointer type to be invalidated as a non-pointer type.
- Pushes RegionStore::RetrieveElement() further by handling retrievals from
  symbolic arrays that have been invalidated.  This uses the new SymbolDerived
  construct that was recently introduced.
  
The result is that the failing test in misc-ps-region-store-x86_64.m now passes.
Both misc-ps-region-store-x86_64.m and misc-ps-region-store-i386.m contain a
test case that motivated this change.

llvm-svn: 75730
2009-07-15 02:31:43 +00:00
Ted Kremenek 0c37d19fea Enhance RegionStoreManager to handle 'Retrieve's from SymbolicRegions. We do this by silently wrapping the region with an ElementRegion. This fixes the failures in misc-ps-region-store.m.
llvm-svn: 75679
2009-07-14 20:48:22 +00:00
Zhongxing Xu 170e816eff Instead of recovering from a wrong invalidation, this patch aims to
invalidate the region correctly. It uses the cast-to type to invalidate 
the region when available. To avoid invalid cast-to type like 'void*' or 'id',
region store now only records non-generic casts of regions.

llvm-svn: 75580
2009-07-14 01:12:46 +00:00
Ted Kremenek a6904ff7f9 Tidy pretty-printing for SVals, using 'dump()' instead of 'printStdErr()', and implementing operator<< support for llvm::raw_ostream.
llvm-svn: 75560
2009-07-13 23:53:06 +00:00
Ted Kremenek eabdd984b1 Change pretty-printing API for SymExprs and MemRegions to use a naming convention and style similar to other elements in Clang.
llvm-svn: 75548
2009-07-13 23:31:04 +00:00
Ted Kremenek f6f0461a38 Restructure RegionStoreManager::EvalBinOp() as a switch dispatch over different
MemRegion kinds. This allows the compiler to identify what MemRegions we don't
handle for pointer arithmetic.

llvm-svn: 75326
2009-07-11 00:58:27 +00:00
Ted Kremenek 94575aacc1 Restructure RegionStoreManager::getSizeInElements() to use a switch statement
over the types of MemRegions. This allows the compiler to warn us which regions
are not handled, and also is a little faster.

llvm-svn: 75304
2009-07-10 22:30:06 +00:00
Ted Kremenek 9e010e11c3 Move the new 'CastRegion' implementation from RegionStoreManager to StoreManager
(its superclass). This will allow us to experiment with using the new CastRegion
with BasicStoreManager, and gradually phase out the old implementation.

llvm-svn: 74851
2009-07-06 20:21:51 +00:00
Zhongxing Xu 61e6692993 remove utility methods that are not very useful.
llvm-svn: 74762
2009-07-03 06:11:41 +00:00
Ted Kremenek 194f46a11a Remove unused method.
llvm-svn: 74751
2009-07-03 00:41:09 +00:00
Ted Kremenek 06cc0e31b2 Replace guarded calls in RegionStoreManager to
ValueManager::getRegionValueSymbolVal() with unguarded calls to
ValueManager::getRegionValueSymbolValOrUnknown(). This changes centralizes the
decision of what values to symbolicate in SymbolManager rather than having it
scatter in RegionStoreManager.

llvm-svn: 74730
2009-07-02 22:16:42 +00:00
Ted Kremenek 725b4a3a51 Enhance RegionStore to lazily symbolicate fields and array elements for
structures passed-by-value as function arguments.

llvm-svn: 74729
2009-07-02 22:02:15 +00:00
Ted Kremenek df67d426d9 StoreManagers: Use 'hasGlobalsStorage()' and 'hasParametersStorage()' instead of
directly consulting if a VarDecl is an implicit or actual parameter, a global,
etc.

llvm-svn: 74716
2009-07-02 18:25:09 +00:00
Ted Kremenek 873db25879 Minor code cleanup: pull variables into scope of 'if' statement, limiting their
actual lifetime to their logical lifetime.

llvm-svn: 74665
2009-07-01 23:30:34 +00:00
Ted Kremenek 55e07efeed Add a FIXME to RegionStore, do some minor code cleanup, and get RegionStore to
pass misc-ps.m. Currently RegionStore/BasicStore don't do any special reasoning
about clang-style vectors, so we should return UnknownVal (in all cases) when
accessing their values via an array.

llvm-svn: 74660
2009-07-01 23:19:52 +00:00
Zhongxing Xu b4ce4fc4ee add fixme.
llvm-svn: 74581
2009-07-01 02:12:57 +00:00
Zhongxing Xu e205d43c75 When retrieving element region, if its super region has binding, return
unknown for it.

Mark the super region of a live region as live, if the live region is pointed
to by a live pointer variable.

These fixes xfail_regionstore_wine_crash.c.

llvm-svn: 74524
2009-06-30 12:32:59 +00:00
Argyrios Kyrtzidis cfbfe78e9e De-ASTContext-ify DeclContext.
Remove ASTContext parameter from DeclContext's methods. This change cascaded down to other Decl's methods and changes to call sites started "escalating".
Timings using pre-tokenized "cocoa.h" showed only a ~1% increase in time run between and after this commit.

llvm-svn: 74506
2009-06-30 02:36:12 +00:00
Zhongxing Xu 0628f539a8 Adjust retrieve handler priority. If a field is of array type, it should be
handled by RetrieveArray().

llvm-svn: 74409
2009-06-28 14:16:39 +00:00
Zhongxing Xu d260db1238 Do not crash on binding concrete integer location.
llvm-svn: 74407
2009-06-28 10:16:11 +00:00
Ted Kremenek af1ac826f6 Update method signature.
llvm-svn: 74244
2009-06-26 00:41:43 +00:00
Ted Kremenek 1642bdaaa5 Introduce a new concept to the static analyzer: SValuator.
GRTransferFuncs had the conflated role of both constructing SVals (symbolic
expressions) as well as handling checker-specific logic. Now SValuator has the
role of constructing SVals from expressions and GRTransferFuncs just handles
checker-specific logic. The motivation is by separating these two concepts we
will be able to much more easily create richer constraint-generating logic
without coupling it to the main checker transfer function logic.

We now have one implementation of SValuator: SimpleSValuator.

SimpleSValuator is essentially the SVal-related logic that was in GRSimpleVals
(which is removed in this patch). This includes the logic for EvalBinOp,
EvalCast, etc. Because SValuator has a narrower role than the old
GRTransferFuncs, the interfaces are much simpler, and so is the implementation
of SimpleSValuator compared to GRSimpleVals. I also did a line-by-line review of
SVal-related logic in GRSimpleVals and cleaned it up while moving it over to
SimpleSValuator.

As a consequence of removing GRSimpleVals, there is no longer a
'-checker-simple' option. The '-checker-cfref' did everything that option did
but also ran the retain/release checker. Of course a user may not always wish to
run the retain/release checker, nor do we wish core analysis logic buried in the
checker-specific logic. The next step is to refactor the logic in CFRefCount.cpp
to separate out these pieces into the core analysis engine.

llvm-svn: 74229
2009-06-26 00:05:51 +00:00
Zhongxing Xu c53b444d36 remove RegionKills GDM. Now UnknownVal is bound to regions explicitly.
llvm-svn: 74168
2009-06-25 05:52:16 +00:00
Zhongxing Xu 2d16073b50 Move element region retrieving logic into a separate function.
llvm-svn: 74166
2009-06-25 05:29:39 +00:00
Zhongxing Xu e67ea5c784 Move all logic for retrieving ElementRegion binding into a separate method.
Revert to setting default value approach for handling struct initialization.

llvm-svn: 74160
2009-06-25 04:50:44 +00:00
Ted Kremenek 799bb6e178 Remove uses of std::ostream from libAnalysis.
llvm-svn: 74136
2009-06-24 23:06:47 +00:00
Zhongxing Xu 33420090ae use a concrete type instead of a trait type to make code more readable.
llvm-svn: 74047
2009-06-24 01:12:41 +00:00
Zhongxing Xu 9ef415edf2 RegionStore: revert to the default value approach for array initialization.
llvm-svn: 74043
2009-06-24 00:56:31 +00:00
Ted Kremenek 2d99f97c17 - Add MemRegion::getMemorySpace()
- Change implementation of MemRegion::hasStackStorage()/hasHeapStorage() to use
  'getMemorySpace()'.  This avoids a double traversal up the region hierarchy
  and is simpler.
- Add MemRegion::hasHeapOrStackStorage() as a slightly more efficient
  alternative to 'hasStackStorage() || hasHeapStorage()'.

llvm-svn: 73977
2009-06-23 18:17:08 +00:00
Ted Kremenek 404b132dc0 Move 'hasStackStorage()' and 'hasHeapStorage()' from MemRegionManager to MemRegion.
llvm-svn: 73973
2009-06-23 18:05:21 +00:00