clang API Documentation
00001 // SValBuilder.cpp - Basic class for all SValBuilder implementations -*- C++ -*- 00002 // 00003 // The LLVM Compiler Infrastructure 00004 // 00005 // This file is distributed under the University of Illinois Open Source 00006 // License. See LICENSE.TXT for details. 00007 // 00008 //===----------------------------------------------------------------------===// 00009 // 00010 // This file defines SValBuilder, the base class for all (complete) SValBuilder 00011 // implementations. 00012 // 00013 //===----------------------------------------------------------------------===// 00014 00015 #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" 00016 #include "clang/AST/DeclCXX.h" 00017 #include "clang/AST/ExprCXX.h" 00018 #include "clang/StaticAnalyzer/Core/PathSensitive/BasicValueFactory.h" 00019 #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" 00020 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 00021 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 00022 00023 using namespace clang; 00024 using namespace ento; 00025 00026 //===----------------------------------------------------------------------===// 00027 // Basic SVal creation. 00028 //===----------------------------------------------------------------------===// 00029 00030 void SValBuilder::anchor() { } 00031 00032 DefinedOrUnknownSVal SValBuilder::makeZeroVal(QualType type) { 00033 if (Loc::isLocType(type)) 00034 return makeNull(); 00035 00036 if (type->isIntegralOrEnumerationType()) 00037 return makeIntVal(0, type); 00038 00039 // FIXME: Handle floats. 00040 // FIXME: Handle structs. 00041 return UnknownVal(); 00042 } 00043 00044 NonLoc SValBuilder::makeNonLoc(const SymExpr *lhs, BinaryOperator::Opcode op, 00045 const llvm::APSInt& rhs, QualType type) { 00046 // The Environment ensures we always get a persistent APSInt in 00047 // BasicValueFactory, so we don't need to get the APSInt from 00048 // BasicValueFactory again. 00049 assert(lhs); 00050 assert(!Loc::isLocType(type)); 00051 return nonloc::SymbolVal(SymMgr.getSymIntExpr(lhs, op, rhs, type)); 00052 } 00053 00054 NonLoc SValBuilder::makeNonLoc(const llvm::APSInt& lhs, 00055 BinaryOperator::Opcode op, const SymExpr *rhs, 00056 QualType type) { 00057 assert(rhs); 00058 assert(!Loc::isLocType(type)); 00059 return nonloc::SymbolVal(SymMgr.getIntSymExpr(lhs, op, rhs, type)); 00060 } 00061 00062 NonLoc SValBuilder::makeNonLoc(const SymExpr *lhs, BinaryOperator::Opcode op, 00063 const SymExpr *rhs, QualType type) { 00064 assert(lhs && rhs); 00065 assert(!Loc::isLocType(type)); 00066 return nonloc::SymbolVal(SymMgr.getSymSymExpr(lhs, op, rhs, type)); 00067 } 00068 00069 NonLoc SValBuilder::makeNonLoc(const SymExpr *operand, 00070 QualType fromTy, QualType toTy) { 00071 assert(operand); 00072 assert(!Loc::isLocType(toTy)); 00073 return nonloc::SymbolVal(SymMgr.getCastSymbol(operand, fromTy, toTy)); 00074 } 00075 00076 SVal SValBuilder::convertToArrayIndex(SVal val) { 00077 if (val.isUnknownOrUndef()) 00078 return val; 00079 00080 // Common case: we have an appropriately sized integer. 00081 if (Optional<nonloc::ConcreteInt> CI = val.getAs<nonloc::ConcreteInt>()) { 00082 const llvm::APSInt& I = CI->getValue(); 00083 if (I.getBitWidth() == ArrayIndexWidth && I.isSigned()) 00084 return val; 00085 } 00086 00087 return evalCastFromNonLoc(val.castAs<NonLoc>(), ArrayIndexTy); 00088 } 00089 00090 nonloc::ConcreteInt SValBuilder::makeBoolVal(const CXXBoolLiteralExpr *boolean){ 00091 return makeTruthVal(boolean->getValue()); 00092 } 00093 00094 DefinedOrUnknownSVal 00095 SValBuilder::getRegionValueSymbolVal(const TypedValueRegion* region) { 00096 QualType T = region->getValueType(); 00097 00098 if (!SymbolManager::canSymbolicate(T)) 00099 return UnknownVal(); 00100 00101 SymbolRef sym = SymMgr.getRegionValueSymbol(region); 00102 00103 if (Loc::isLocType(T)) 00104 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym)); 00105 00106 return nonloc::SymbolVal(sym); 00107 } 00108 00109 DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const void *SymbolTag, 00110 const Expr *Ex, 00111 const LocationContext *LCtx, 00112 unsigned Count) { 00113 QualType T = Ex->getType(); 00114 00115 // Compute the type of the result. If the expression is not an R-value, the 00116 // result should be a location. 00117 QualType ExType = Ex->getType(); 00118 if (Ex->isGLValue()) 00119 T = LCtx->getAnalysisDeclContext()->getASTContext().getPointerType(ExType); 00120 00121 return conjureSymbolVal(SymbolTag, Ex, LCtx, T, Count); 00122 } 00123 00124 DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const void *symbolTag, 00125 const Expr *expr, 00126 const LocationContext *LCtx, 00127 QualType type, 00128 unsigned count) { 00129 if (!SymbolManager::canSymbolicate(type)) 00130 return UnknownVal(); 00131 00132 SymbolRef sym = SymMgr.conjureSymbol(expr, LCtx, type, count, symbolTag); 00133 00134 if (Loc::isLocType(type)) 00135 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym)); 00136 00137 return nonloc::SymbolVal(sym); 00138 } 00139 00140 00141 DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const Stmt *stmt, 00142 const LocationContext *LCtx, 00143 QualType type, 00144 unsigned visitCount) { 00145 if (!SymbolManager::canSymbolicate(type)) 00146 return UnknownVal(); 00147 00148 SymbolRef sym = SymMgr.conjureSymbol(stmt, LCtx, type, visitCount); 00149 00150 if (Loc::isLocType(type)) 00151 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym)); 00152 00153 return nonloc::SymbolVal(sym); 00154 } 00155 00156 DefinedOrUnknownSVal 00157 SValBuilder::getConjuredHeapSymbolVal(const Expr *E, 00158 const LocationContext *LCtx, 00159 unsigned VisitCount) { 00160 QualType T = E->getType(); 00161 assert(Loc::isLocType(T)); 00162 assert(SymbolManager::canSymbolicate(T)); 00163 00164 SymbolRef sym = SymMgr.conjureSymbol(E, LCtx, T, VisitCount); 00165 return loc::MemRegionVal(MemMgr.getSymbolicHeapRegion(sym)); 00166 } 00167 00168 DefinedSVal SValBuilder::getMetadataSymbolVal(const void *symbolTag, 00169 const MemRegion *region, 00170 const Expr *expr, QualType type, 00171 unsigned count) { 00172 assert(SymbolManager::canSymbolicate(type) && "Invalid metadata symbol type"); 00173 00174 SymbolRef sym = 00175 SymMgr.getMetadataSymbol(region, expr, type, count, symbolTag); 00176 00177 if (Loc::isLocType(type)) 00178 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym)); 00179 00180 return nonloc::SymbolVal(sym); 00181 } 00182 00183 DefinedOrUnknownSVal 00184 SValBuilder::getDerivedRegionValueSymbolVal(SymbolRef parentSymbol, 00185 const TypedValueRegion *region) { 00186 QualType T = region->getValueType(); 00187 00188 if (!SymbolManager::canSymbolicate(T)) 00189 return UnknownVal(); 00190 00191 SymbolRef sym = SymMgr.getDerivedSymbol(parentSymbol, region); 00192 00193 if (Loc::isLocType(T)) 00194 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym)); 00195 00196 return nonloc::SymbolVal(sym); 00197 } 00198 00199 DefinedSVal SValBuilder::getFunctionPointer(const FunctionDecl *func) { 00200 return loc::MemRegionVal(MemMgr.getFunctionTextRegion(func)); 00201 } 00202 00203 DefinedSVal SValBuilder::getBlockPointer(const BlockDecl *block, 00204 CanQualType locTy, 00205 const LocationContext *locContext, 00206 unsigned blockCount) { 00207 const BlockTextRegion *BC = 00208 MemMgr.getBlockTextRegion(block, locTy, locContext->getAnalysisDeclContext()); 00209 const BlockDataRegion *BD = MemMgr.getBlockDataRegion(BC, locContext, 00210 blockCount); 00211 return loc::MemRegionVal(BD); 00212 } 00213 00214 /// Return a memory region for the 'this' object reference. 00215 loc::MemRegionVal SValBuilder::getCXXThis(const CXXMethodDecl *D, 00216 const StackFrameContext *SFC) { 00217 return loc::MemRegionVal(getRegionManager(). 00218 getCXXThisRegion(D->getThisType(getContext()), SFC)); 00219 } 00220 00221 /// Return a memory region for the 'this' object reference. 00222 loc::MemRegionVal SValBuilder::getCXXThis(const CXXRecordDecl *D, 00223 const StackFrameContext *SFC) { 00224 const Type *T = D->getTypeForDecl(); 00225 QualType PT = getContext().getPointerType(QualType(T, 0)); 00226 return loc::MemRegionVal(getRegionManager().getCXXThisRegion(PT, SFC)); 00227 } 00228 00229 Optional<SVal> SValBuilder::getConstantVal(const Expr *E) { 00230 E = E->IgnoreParens(); 00231 00232 switch (E->getStmtClass()) { 00233 // Handle expressions that we treat differently from the AST's constant 00234 // evaluator. 00235 case Stmt::AddrLabelExprClass: 00236 return makeLoc(cast<AddrLabelExpr>(E)); 00237 00238 case Stmt::CXXScalarValueInitExprClass: 00239 case Stmt::ImplicitValueInitExprClass: 00240 return makeZeroVal(E->getType()); 00241 00242 case Stmt::ObjCStringLiteralClass: { 00243 const ObjCStringLiteral *SL = cast<ObjCStringLiteral>(E); 00244 return makeLoc(getRegionManager().getObjCStringRegion(SL)); 00245 } 00246 00247 case Stmt::StringLiteralClass: { 00248 const StringLiteral *SL = cast<StringLiteral>(E); 00249 return makeLoc(getRegionManager().getStringRegion(SL)); 00250 } 00251 00252 // Fast-path some expressions to avoid the overhead of going through the AST's 00253 // constant evaluator 00254 case Stmt::CharacterLiteralClass: { 00255 const CharacterLiteral *C = cast<CharacterLiteral>(E); 00256 return makeIntVal(C->getValue(), C->getType()); 00257 } 00258 00259 case Stmt::CXXBoolLiteralExprClass: 00260 return makeBoolVal(cast<CXXBoolLiteralExpr>(E)); 00261 00262 case Stmt::IntegerLiteralClass: 00263 return makeIntVal(cast<IntegerLiteral>(E)); 00264 00265 case Stmt::ObjCBoolLiteralExprClass: 00266 return makeBoolVal(cast<ObjCBoolLiteralExpr>(E)); 00267 00268 case Stmt::CXXNullPtrLiteralExprClass: 00269 return makeNull(); 00270 00271 case Stmt::ImplicitCastExprClass: { 00272 const CastExpr *CE = cast<CastExpr>(E); 00273 if (CE->getCastKind() == CK_ArrayToPointerDecay) { 00274 Optional<SVal> ArrayVal = getConstantVal(CE->getSubExpr()); 00275 if (!ArrayVal) 00276 return None; 00277 return evalCast(*ArrayVal, CE->getType(), CE->getSubExpr()->getType()); 00278 } 00279 // FALLTHROUGH 00280 } 00281 00282 // If we don't have a special case, fall back to the AST's constant evaluator. 00283 default: { 00284 // Don't try to come up with a value for materialized temporaries. 00285 if (E->isGLValue()) 00286 return None; 00287 00288 ASTContext &Ctx = getContext(); 00289 llvm::APSInt Result; 00290 if (E->EvaluateAsInt(Result, Ctx)) 00291 return makeIntVal(Result); 00292 00293 if (Loc::isLocType(E->getType())) 00294 if (E->isNullPointerConstant(Ctx, Expr::NPC_ValueDependentIsNotNull)) 00295 return makeNull(); 00296 00297 return None; 00298 } 00299 } 00300 } 00301 00302 //===----------------------------------------------------------------------===// 00303 00304 SVal SValBuilder::makeSymExprValNN(ProgramStateRef State, 00305 BinaryOperator::Opcode Op, 00306 NonLoc LHS, NonLoc RHS, 00307 QualType ResultTy) { 00308 if (!State->isTainted(RHS) && !State->isTainted(LHS)) 00309 return UnknownVal(); 00310 00311 const SymExpr *symLHS = LHS.getAsSymExpr(); 00312 const SymExpr *symRHS = RHS.getAsSymExpr(); 00313 // TODO: When the Max Complexity is reached, we should conjure a symbol 00314 // instead of generating an Unknown value and propagate the taint info to it. 00315 const unsigned MaxComp = 10000; // 100000 28X 00316 00317 if (symLHS && symRHS && 00318 (symLHS->computeComplexity() + symRHS->computeComplexity()) < MaxComp) 00319 return makeNonLoc(symLHS, Op, symRHS, ResultTy); 00320 00321 if (symLHS && symLHS->computeComplexity() < MaxComp) 00322 if (Optional<nonloc::ConcreteInt> rInt = RHS.getAs<nonloc::ConcreteInt>()) 00323 return makeNonLoc(symLHS, Op, rInt->getValue(), ResultTy); 00324 00325 if (symRHS && symRHS->computeComplexity() < MaxComp) 00326 if (Optional<nonloc::ConcreteInt> lInt = LHS.getAs<nonloc::ConcreteInt>()) 00327 return makeNonLoc(lInt->getValue(), Op, symRHS, ResultTy); 00328 00329 return UnknownVal(); 00330 } 00331 00332 00333 SVal SValBuilder::evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op, 00334 SVal lhs, SVal rhs, QualType type) { 00335 00336 if (lhs.isUndef() || rhs.isUndef()) 00337 return UndefinedVal(); 00338 00339 if (lhs.isUnknown() || rhs.isUnknown()) 00340 return UnknownVal(); 00341 00342 if (Optional<Loc> LV = lhs.getAs<Loc>()) { 00343 if (Optional<Loc> RV = rhs.getAs<Loc>()) 00344 return evalBinOpLL(state, op, *LV, *RV, type); 00345 00346 return evalBinOpLN(state, op, *LV, rhs.castAs<NonLoc>(), type); 00347 } 00348 00349 if (Optional<Loc> RV = rhs.getAs<Loc>()) { 00350 // Support pointer arithmetic where the addend is on the left 00351 // and the pointer on the right. 00352 assert(op == BO_Add); 00353 00354 // Commute the operands. 00355 return evalBinOpLN(state, op, *RV, lhs.castAs<NonLoc>(), type); 00356 } 00357 00358 return evalBinOpNN(state, op, lhs.castAs<NonLoc>(), rhs.castAs<NonLoc>(), 00359 type); 00360 } 00361 00362 DefinedOrUnknownSVal SValBuilder::evalEQ(ProgramStateRef state, 00363 DefinedOrUnknownSVal lhs, 00364 DefinedOrUnknownSVal rhs) { 00365 return evalBinOp(state, BO_EQ, lhs, rhs, getConditionType()) 00366 .castAs<DefinedOrUnknownSVal>(); 00367 } 00368 00369 /// Recursively check if the pointer types are equal modulo const, volatile, 00370 /// and restrict qualifiers. Also, assume that all types are similar to 'void'. 00371 /// Assumes the input types are canonical. 00372 static bool shouldBeModeledWithNoOp(ASTContext &Context, QualType ToTy, 00373 QualType FromTy) { 00374 while (Context.UnwrapSimilarPointerTypes(ToTy, FromTy)) { 00375 Qualifiers Quals1, Quals2; 00376 ToTy = Context.getUnqualifiedArrayType(ToTy, Quals1); 00377 FromTy = Context.getUnqualifiedArrayType(FromTy, Quals2); 00378 00379 // Make sure that non-cvr-qualifiers the other qualifiers (e.g., address 00380 // spaces) are identical. 00381 Quals1.removeCVRQualifiers(); 00382 Quals2.removeCVRQualifiers(); 00383 if (Quals1 != Quals2) 00384 return false; 00385 } 00386 00387 // If we are casting to void, the 'From' value can be used to represent the 00388 // 'To' value. 00389 if (ToTy->isVoidType()) 00390 return true; 00391 00392 if (ToTy != FromTy) 00393 return false; 00394 00395 return true; 00396 } 00397 00398 // FIXME: should rewrite according to the cast kind. 00399 SVal SValBuilder::evalCast(SVal val, QualType castTy, QualType originalTy) { 00400 castTy = Context.getCanonicalType(castTy); 00401 originalTy = Context.getCanonicalType(originalTy); 00402 if (val.isUnknownOrUndef() || castTy == originalTy) 00403 return val; 00404 00405 if (castTy->isBooleanType()) { 00406 if (val.isUnknownOrUndef()) 00407 return val; 00408 if (val.isConstant()) 00409 return makeTruthVal(!val.isZeroConstant(), castTy); 00410 if (!Loc::isLocType(originalTy) && 00411 !originalTy->isIntegralOrEnumerationType() && 00412 !originalTy->isMemberPointerType()) 00413 return UnknownVal(); 00414 if (SymbolRef Sym = val.getAsSymbol(true)) { 00415 BasicValueFactory &BVF = getBasicValueFactory(); 00416 // FIXME: If we had a state here, we could see if the symbol is known to 00417 // be zero, but we don't. 00418 return makeNonLoc(Sym, BO_NE, BVF.getValue(0, Sym->getType()), castTy); 00419 } 00420 // Loc values are not always true, they could be weakly linked functions. 00421 if (Optional<Loc> L = val.getAs<Loc>()) 00422 return evalCastFromLoc(*L, castTy); 00423 00424 Loc L = val.castAs<nonloc::LocAsInteger>().getLoc(); 00425 return evalCastFromLoc(L, castTy); 00426 } 00427 00428 // For const casts, casts to void, just propagate the value. 00429 if (!castTy->isVariableArrayType() && !originalTy->isVariableArrayType()) 00430 if (shouldBeModeledWithNoOp(Context, Context.getPointerType(castTy), 00431 Context.getPointerType(originalTy))) 00432 return val; 00433 00434 // Check for casts from pointers to integers. 00435 if (castTy->isIntegralOrEnumerationType() && Loc::isLocType(originalTy)) 00436 return evalCastFromLoc(val.castAs<Loc>(), castTy); 00437 00438 // Check for casts from integers to pointers. 00439 if (Loc::isLocType(castTy) && originalTy->isIntegralOrEnumerationType()) { 00440 if (Optional<nonloc::LocAsInteger> LV = val.getAs<nonloc::LocAsInteger>()) { 00441 if (const MemRegion *R = LV->getLoc().getAsRegion()) { 00442 StoreManager &storeMgr = StateMgr.getStoreManager(); 00443 R = storeMgr.castRegion(R, castTy); 00444 return R ? SVal(loc::MemRegionVal(R)) : UnknownVal(); 00445 } 00446 return LV->getLoc(); 00447 } 00448 return dispatchCast(val, castTy); 00449 } 00450 00451 // Just pass through function and block pointers. 00452 if (originalTy->isBlockPointerType() || originalTy->isFunctionPointerType()) { 00453 assert(Loc::isLocType(castTy)); 00454 return val; 00455 } 00456 00457 // Check for casts from array type to another type. 00458 if (const ArrayType *arrayT = 00459 dyn_cast<ArrayType>(originalTy.getCanonicalType())) { 00460 // We will always decay to a pointer. 00461 QualType elemTy = arrayT->getElementType(); 00462 val = StateMgr.ArrayToPointer(val.castAs<Loc>(), elemTy); 00463 00464 // Are we casting from an array to a pointer? If so just pass on 00465 // the decayed value. 00466 if (castTy->isPointerType() || castTy->isReferenceType()) 00467 return val; 00468 00469 // Are we casting from an array to an integer? If so, cast the decayed 00470 // pointer value to an integer. 00471 assert(castTy->isIntegralOrEnumerationType()); 00472 00473 // FIXME: Keep these here for now in case we decide soon that we 00474 // need the original decayed type. 00475 // QualType elemTy = cast<ArrayType>(originalTy)->getElementType(); 00476 // QualType pointerTy = C.getPointerType(elemTy); 00477 return evalCastFromLoc(val.castAs<Loc>(), castTy); 00478 } 00479 00480 // Check for casts from a region to a specific type. 00481 if (const MemRegion *R = val.getAsRegion()) { 00482 // Handle other casts of locations to integers. 00483 if (castTy->isIntegralOrEnumerationType()) 00484 return evalCastFromLoc(loc::MemRegionVal(R), castTy); 00485 00486 // FIXME: We should handle the case where we strip off view layers to get 00487 // to a desugared type. 00488 if (!Loc::isLocType(castTy)) { 00489 // FIXME: There can be gross cases where one casts the result of a function 00490 // (that returns a pointer) to some other value that happens to fit 00491 // within that pointer value. We currently have no good way to 00492 // model such operations. When this happens, the underlying operation 00493 // is that the caller is reasoning about bits. Conceptually we are 00494 // layering a "view" of a location on top of those bits. Perhaps 00495 // we need to be more lazy about mutual possible views, even on an 00496 // SVal? This may be necessary for bit-level reasoning as well. 00497 return UnknownVal(); 00498 } 00499 00500 // We get a symbolic function pointer for a dereference of a function 00501 // pointer, but it is of function type. Example: 00502 00503 // struct FPRec { 00504 // void (*my_func)(int * x); 00505 // }; 00506 // 00507 // int bar(int x); 00508 // 00509 // int f1_a(struct FPRec* foo) { 00510 // int x; 00511 // (*foo->my_func)(&x); 00512 // return bar(x)+1; // no-warning 00513 // } 00514 00515 assert(Loc::isLocType(originalTy) || originalTy->isFunctionType() || 00516 originalTy->isBlockPointerType() || castTy->isReferenceType()); 00517 00518 StoreManager &storeMgr = StateMgr.getStoreManager(); 00519 00520 // Delegate to store manager to get the result of casting a region to a 00521 // different type. If the MemRegion* returned is NULL, this expression 00522 // Evaluates to UnknownVal. 00523 R = storeMgr.castRegion(R, castTy); 00524 return R ? SVal(loc::MemRegionVal(R)) : UnknownVal(); 00525 } 00526 00527 return dispatchCast(val, castTy); 00528 }