diff options
| author | ed <ed@FreeBSD.org> | 2009-06-22 08:08:35 +0000 |
|---|---|---|
| committer | ed <ed@FreeBSD.org> | 2009-06-22 08:08:35 +0000 |
| commit | 8927c19a5ed03bef55dac4b623688387bcc794dc (patch) | |
| tree | b6403365e77095a79062d3379c9e6aea0df5f088 /lib/Analysis/RegionStore.cpp | |
| parent | b8e7410b22fa573fb0078712439f343bc69208dd (diff) | |
| download | FreeBSD-src-8927c19a5ed03bef55dac4b623688387bcc794dc.zip FreeBSD-src-8927c19a5ed03bef55dac4b623688387bcc794dc.tar.gz | |
Update Clang sources to r73879.
Diffstat (limited to 'lib/Analysis/RegionStore.cpp')
| -rw-r--r-- | lib/Analysis/RegionStore.cpp | 822 |
1 files changed, 471 insertions, 351 deletions
diff --git a/lib/Analysis/RegionStore.cpp b/lib/Analysis/RegionStore.cpp index eae3aef..5f2b8f8 100644 --- a/lib/Analysis/RegionStore.cpp +++ b/lib/Analysis/RegionStore.cpp @@ -31,6 +31,32 @@ using namespace clang; typedef llvm::ImmutableMap<const MemRegion*, SVal> RegionBindingsTy; //===----------------------------------------------------------------------===// +// Fine-grained control of RegionStoreManager. +//===----------------------------------------------------------------------===// + +namespace { +struct VISIBILITY_HIDDEN minimal_features_tag {}; +struct VISIBILITY_HIDDEN maximal_features_tag {}; + +class VISIBILITY_HIDDEN RegionStoreFeatures { + bool SupportsFields; + bool SupportsRemaining; + +public: + RegionStoreFeatures(minimal_features_tag) : + SupportsFields(false), SupportsRemaining(false) {} + + RegionStoreFeatures(maximal_features_tag) : + SupportsFields(true), SupportsRemaining(false) {} + + void enableFields(bool t) { SupportsFields = t; } + + bool supportsFields() const { return SupportsFields; } + bool supportsRemaining() const { return SupportsRemaining; } +}; +} + +//===----------------------------------------------------------------------===// // Region "Views" //===----------------------------------------------------------------------===// // @@ -151,6 +177,7 @@ public: }; class VISIBILITY_HIDDEN RegionStoreManager : public StoreManager { + const RegionStoreFeatures Features; RegionBindingsTy::Factory RBFactory; RegionViews::Factory RVFactory; @@ -158,8 +185,9 @@ class VISIBILITY_HIDDEN RegionStoreManager : public StoreManager { const ImplicitParamDecl *SelfDecl; public: - RegionStoreManager(GRStateManager& mgr) + RegionStoreManager(GRStateManager& mgr, const RegionStoreFeatures &f) : StoreManager(mgr), + Features(f), RBFactory(mgr.getAllocator()), RVFactory(mgr.getAllocator()), SelfRegion(0), SelfDecl(0) { @@ -172,36 +200,32 @@ public: SubRegionMap* getSubRegionMap(const GRState *state); - const GRState* BindCompoundLiteral(const GRState* St, - const CompoundLiteralExpr* CL, SVal V); - /// getLValueString - Returns an SVal representing the lvalue of a /// StringLiteral. Within RegionStore a StringLiteral has an /// associated StringRegion, and the lvalue of a StringLiteral is /// the lvalue of that region. - SVal getLValueString(const GRState* St, const StringLiteral* S); + SVal getLValueString(const GRState *state, const StringLiteral* S); /// getLValueCompoundLiteral - Returns an SVal representing the /// lvalue of a compound literal. Within RegionStore a compound /// literal has an associated region, and the lvalue of the /// compound literal is the lvalue of that region. - SVal getLValueCompoundLiteral(const GRState* St, const CompoundLiteralExpr*); + SVal getLValueCompoundLiteral(const GRState *state, const CompoundLiteralExpr*); /// getLValueVar - Returns an SVal that represents the lvalue of a /// variable. Within RegionStore a variable has an associated /// VarRegion, and the lvalue of the variable is the lvalue of that region. - SVal getLValueVar(const GRState* St, const VarDecl* VD); + SVal getLValueVar(const GRState *state, const VarDecl* VD); - SVal getLValueIvar(const GRState* St, const ObjCIvarDecl* D, SVal Base); + SVal getLValueIvar(const GRState *state, const ObjCIvarDecl* D, SVal Base); - SVal getLValueField(const GRState* St, SVal Base, const FieldDecl* D); + SVal getLValueField(const GRState *state, SVal Base, const FieldDecl* D); - SVal getLValueFieldOrIvar(const GRState* St, SVal Base, const Decl* D); + SVal getLValueFieldOrIvar(const GRState *state, SVal Base, const Decl* D); - SVal getLValueElement(const GRState* St, QualType elementType, + SVal getLValueElement(const GRState *state, QualType elementType, SVal Base, SVal Offset); - SVal getSizeInElements(const GRState* St, const MemRegion* R); /// ArrayToPointer - Emulates the "decay" of an array to a pointer /// type. 'Array' represents the lvalue of the array being decayed @@ -211,27 +235,13 @@ public: /// casts from arrays to pointers. SVal ArrayToPointer(Loc Array); - CastResult CastRegion(const GRState* state, const MemRegion* R, + CastResult CastRegion(const GRState *state, const MemRegion* R, QualType CastToTy); - SVal EvalBinOp(const GRState *state,BinaryOperator::Opcode Op,Loc L,NonLoc R); + SVal EvalBinOp(const GRState *state, BinaryOperator::Opcode Op,Loc L,NonLoc R); - /// The high level logic for this method is this: - /// Retrieve (L) - /// if L has binding - /// return L's binding - /// else if L is in killset - /// return unknown - /// else - /// if L is on stack or heap - /// return undefined - /// else - /// return symbolic - SVal Retrieve(const GRState* state, Loc L, QualType T = QualType()); - const GRState* Bind(const GRState* St, Loc LV, SVal V); - Store Remove(Store store, Loc LV); Store getInitialStore() { return RBFactory.GetEmptyMap().getRoot(); } @@ -251,65 +261,130 @@ public: return SelfRegion; } - /// RemoveDeadBindings - Scans the RegionStore of 'state' for dead values. - /// It returns a new Store with these values removed, and populates LSymbols - // and DSymbols with the known set of live and dead symbols respectively. - Store RemoveDeadBindings(const GRState* state, Stmt* Loc, - SymbolReaper& SymReaper, - llvm::SmallVectorImpl<const MemRegion*>& RegionRoots); - const GRState* BindDecl(const GRState* St, const VarDecl* VD, SVal InitVal); + + //===-------------------------------------------------------------------===// + // Binding values to regions. + //===-------------------------------------------------------------------===// - const GRState* BindDeclWithNoInit(const GRState* St, const VarDecl* VD) { - return St; - } + const GRState *Bind(const GRState *state, Loc LV, SVal V); - const GRState* setExtent(const GRState* St, const MemRegion* R, SVal Extent); - const GRState* setCastType(const GRState* St, const MemRegion* R, QualType T); + const GRState *BindCompoundLiteral(const GRState *state, + const CompoundLiteralExpr* CL, SVal V); + + const GRState *BindDecl(const GRState *state, const VarDecl* VD, SVal InitVal); - static inline RegionBindingsTy GetRegionBindings(Store store) { - return RegionBindingsTy(static_cast<const RegionBindingsTy::TreeTy*>(store)); + const GRState *BindDeclWithNoInit(const GRState *state, const VarDecl* VD) { + return state; } - void print(Store store, std::ostream& Out, const char* nl, const char *sep); + /// BindStruct - Bind a compound value to a structure. + const GRState *BindStruct(const GRState *, const TypedRegion* R, SVal V); + + const GRState *BindArray(const GRState *state, const TypedRegion* R, SVal V); + + /// KillStruct - Set the entire struct to unknown. + const GRState *KillStruct(const GRState *state, const TypedRegion* R); - void iterBindings(Store store, BindingsHandler& f) { - // FIXME: Implement. - } - const GRState* setDefaultValue(const GRState* St, const MemRegion* R, SVal V); -private: - const GRState* BindArray(const GRState* St, const TypedRegion* R, SVal V); + const GRState *setDefaultValue(const GRState *state, const MemRegion* R, SVal V); + Store Remove(Store store, Loc LV); + + //===------------------------------------------------------------------===// + // Loading values from regions. + //===------------------------------------------------------------------===// + + /// The high level logic for this method is this: + /// Retrieve (L) + /// if L has binding + /// return L's binding + /// else if L is in killset + /// return unknown + /// else + /// if L is on stack or heap + /// return undefined + /// else + /// return symbolic + SVal Retrieve(const GRState *state, Loc L, QualType T = QualType()); + /// Retrieve the values in a struct and return a CompoundVal, used when doing /// struct copy: /// struct s x, y; /// x = y; /// y's value is retrieved by this method. - SVal RetrieveStruct(const GRState* St, const TypedRegion* R); + SVal RetrieveStruct(const GRState *St, const TypedRegion* R); + + SVal RetrieveArray(const GRState *St, const TypedRegion* R); - SVal RetrieveArray(const GRState* St, const TypedRegion* R); + //===------------------------------------------------------------------===// + // State pruning. + //===------------------------------------------------------------------===// + + /// RemoveDeadBindings - Scans the RegionStore of 'state' for dead values. + /// It returns a new Store with these values removed. + Store RemoveDeadBindings(const GRState *state, Stmt* Loc, SymbolReaper& SymReaper, + llvm::SmallVectorImpl<const MemRegion*>& RegionRoots); - const GRState* BindStruct(const GRState* St, const TypedRegion* R, SVal V); + //===------------------------------------------------------------------===// + // Region "extents". + //===------------------------------------------------------------------===// + + const GRState *setExtent(const GRState *state, const MemRegion* R, SVal Extent); + SVal getSizeInElements(const GRState *state, const MemRegion* R); - /// KillStruct - Set the entire struct to unknown. - const GRState* KillStruct(const GRState* St, const TypedRegion* R); + //===------------------------------------------------------------------===// + // Region "views". + //===------------------------------------------------------------------===// + + const GRState *AddRegionView(const GRState *state, const MemRegion* View, + const MemRegion* Base); + + const GRState *RemoveRegionView(const GRState *state, const MemRegion* View, + const MemRegion* Base); + //===------------------------------------------------------------------===// // Utility methods. - BasicValueFactory& getBasicVals() { return StateMgr.getBasicVals(); } - ASTContext& getContext() { return StateMgr.getContext(); } + //===------------------------------------------------------------------===// + + const GRState *setCastType(const GRState *state, const MemRegion* R, QualType T); - SymbolManager& getSymbolManager() { return StateMgr.getSymbolManager(); } + static inline RegionBindingsTy GetRegionBindings(Store store) { + return RegionBindingsTy(static_cast<const RegionBindingsTy::TreeTy*>(store)); + } - const GRState* AddRegionView(const GRState* St, - const MemRegion* View, const MemRegion* Base); - const GRState* RemoveRegionView(const GRState* St, - const MemRegion* View, const MemRegion* Base); + void print(Store store, std::ostream& Out, const char* nl, const char *sep); + + void iterBindings(Store store, BindingsHandler& f) { + // FIXME: Implement. + } + + // FIXME: Remove. + BasicValueFactory& getBasicVals() { + return StateMgr.getBasicVals(); + } + + // FIXME: Remove. + ASTContext& getContext() { return StateMgr.getContext(); } + + // FIXME: Use ValueManager? + SymbolManager& getSymbolManager() { return StateMgr.getSymbolManager(); } }; } // end anonymous namespace -StoreManager* clang::CreateRegionStoreManager(GRStateManager& StMgr) { - return new RegionStoreManager(StMgr); +//===----------------------------------------------------------------------===// +// RegionStore creation. +//===----------------------------------------------------------------------===// + +StoreManager *clang::CreateRegionStoreManager(GRStateManager& StMgr) { + RegionStoreFeatures F = maximal_features_tag(); + return new RegionStoreManager(StMgr, F); +} + +StoreManager *clang::CreateFieldsOnlyRegionStoreManager(GRStateManager &StMgr) { + RegionStoreFeatures F = minimal_features_tag(); + F.enableFields(true); + return new RegionStoreManager(StMgr, F); } SubRegionMap* RegionStoreManager::getSubRegionMap(const GRState *state) { @@ -324,11 +399,15 @@ SubRegionMap* RegionStoreManager::getSubRegionMap(const GRState *state) { return M; } +//===----------------------------------------------------------------------===// +// getLValueXXX methods. +//===----------------------------------------------------------------------===// + /// getLValueString - Returns an SVal representing the lvalue of a /// StringLiteral. Within RegionStore a StringLiteral has an /// associated StringRegion, and the lvalue of a StringLiteral is the /// lvalue of that region. -SVal RegionStoreManager::getLValueString(const GRState* St, +SVal RegionStoreManager::getLValueString(const GRState *St, const StringLiteral* S) { return loc::MemRegionVal(MRMgr.getStringRegion(S)); } @@ -336,7 +415,7 @@ SVal RegionStoreManager::getLValueString(const GRState* St, /// getLValueVar - Returns an SVal that represents the lvalue of a /// variable. Within RegionStore a variable has an associated /// VarRegion, and the lvalue of the variable is the lvalue of that region. -SVal RegionStoreManager::getLValueVar(const GRState* St, const VarDecl* VD) { +SVal RegionStoreManager::getLValueVar(const GRState *St, const VarDecl* VD) { return loc::MemRegionVal(MRMgr.getVarRegion(VD)); } @@ -345,22 +424,22 @@ SVal RegionStoreManager::getLValueVar(const GRState* St, const VarDecl* VD) { /// has an associated region, and the lvalue of the compound literal /// is the lvalue of that region. SVal -RegionStoreManager::getLValueCompoundLiteral(const GRState* St, +RegionStoreManager::getLValueCompoundLiteral(const GRState *St, const CompoundLiteralExpr* CL) { return loc::MemRegionVal(MRMgr.getCompoundLiteralRegion(CL)); } -SVal RegionStoreManager::getLValueIvar(const GRState* St, const ObjCIvarDecl* D, +SVal RegionStoreManager::getLValueIvar(const GRState *St, const ObjCIvarDecl* D, SVal Base) { return getLValueFieldOrIvar(St, Base, D); } -SVal RegionStoreManager::getLValueField(const GRState* St, SVal Base, +SVal RegionStoreManager::getLValueField(const GRState *St, SVal Base, const FieldDecl* D) { return getLValueFieldOrIvar(St, Base, D); } -SVal RegionStoreManager::getLValueFieldOrIvar(const GRState* St, SVal Base, +SVal RegionStoreManager::getLValueFieldOrIvar(const GRState *St, SVal Base, const Decl* D) { if (Base.isUnknownOrUndef()) return Base; @@ -397,7 +476,7 @@ SVal RegionStoreManager::getLValueFieldOrIvar(const GRState* St, SVal Base, return loc::MemRegionVal(MRMgr.getFieldRegion(cast<FieldDecl>(D), BaseR)); } -SVal RegionStoreManager::getLValueElement(const GRState* St, +SVal RegionStoreManager::getLValueElement(const GRState *St, QualType elementType, SVal Base, SVal Offset) { @@ -438,7 +517,7 @@ SVal RegionStoreManager::getLValueElement(const GRState* St, } } return loc::MemRegionVal(MRMgr.getElementRegion(elementType, Offset, - BaseRegion)); + BaseRegion, getContext())); } SVal BaseIdx = ElemR->getIndex(); @@ -473,10 +552,15 @@ SVal RegionStoreManager::getLValueElement(const GRState* St, else NewIdx = nonloc::ConcreteInt(getBasicVals().getValue(BaseIdxI + OffI)); - return loc::MemRegionVal(MRMgr.getElementRegion(elementType, NewIdx, ArrayR)); + return loc::MemRegionVal(MRMgr.getElementRegion(elementType, NewIdx, ArrayR, + getContext())); } -SVal RegionStoreManager::getSizeInElements(const GRState* St, +//===----------------------------------------------------------------------===// +// Extents for regions. +//===----------------------------------------------------------------------===// + +SVal RegionStoreManager::getSizeInElements(const GRState *state, const MemRegion* R) { if (const VarRegion* VR = dyn_cast<VarRegion>(R)) { // Get the type of the variable. @@ -491,8 +575,7 @@ SVal RegionStoreManager::getSizeInElements(const GRState* St, return NonLoc::MakeVal(getBasicVals(), CAT->getSize(), false); } - GRStateRef state(St, StateMgr); - const QualType* CastTy = state.get<RegionCasts>(VR); + const QualType* CastTy = state->get<RegionCasts>(VR); // If the VarRegion is cast to other type, compute the size with respect to // that type. @@ -501,6 +584,7 @@ SVal RegionStoreManager::getSizeInElements(const GRState* St, QualType VarTy = VR->getValueType(getContext()); uint64_t EleSize = getContext().getTypeSize(EleTy); uint64_t VarSize = getContext().getTypeSize(VarTy); + assert(VarSize != 0); return NonLoc::MakeIntVal(getBasicVals(), VarSize / EleSize, false); } @@ -538,6 +622,16 @@ SVal RegionStoreManager::getSizeInElements(const GRState* St, return UnknownVal(); } +const GRState *RegionStoreManager::setExtent(const GRState *state, + const MemRegion *region, + SVal extent) { + return state->set<RegionExtents>(region, extent); +} + +//===----------------------------------------------------------------------===// +// Location and region casting. +//===----------------------------------------------------------------------===// + /// ArrayToPointer - Emulates the "decay" of an array to a pointer /// type. 'Array' represents the lvalue of the array being decayed /// to a pointer, and the returned SVal represents the decayed @@ -560,13 +654,13 @@ SVal RegionStoreManager::ArrayToPointer(Loc Array) { T = AT->getElementType(); nonloc::ConcreteInt Idx(getBasicVals().getZeroWithPtrWidth(false)); - ElementRegion* ER = MRMgr.getElementRegion(T, Idx, ArrayR); + ElementRegion* ER = MRMgr.getElementRegion(T, Idx, ArrayR, getContext()); return loc::MemRegionVal(ER); } RegionStoreManager::CastResult -RegionStoreManager::CastRegion(const GRState* state, const MemRegion* R, +RegionStoreManager::CastRegion(const GRState *state, const MemRegion* R, QualType CastToTy) { ASTContext& Ctx = StateMgr.getContext(); @@ -575,7 +669,7 @@ RegionStoreManager::CastRegion(const GRState* state, const MemRegion* R, QualType ToTy = Ctx.getCanonicalType(CastToTy); // Check cast to ObjCQualifiedID type. - if (isa<ObjCQualifiedIdType>(ToTy)) { + if (ToTy->isObjCQualifiedIdType()) { // FIXME: Record the type information aside. return CastResult(state, R); } @@ -617,15 +711,18 @@ RegionStoreManager::CastRegion(const GRState* state, const MemRegion* R, uint64_t ObjTySize = getContext().getTypeSize(ObjTy); if ((PointeeTySize > 0 && PointeeTySize < ObjTySize) || - (ObjTy->isAggregateType() && PointeeTy->isScalarType())) { + (ObjTy->isAggregateType() && PointeeTy->isScalarType()) || + ObjTySize == 0 /* R has 'void*' type. */) { // Record the cast type of the region. state = setCastType(state, R, ToTy); SVal Idx = ValMgr.makeZeroArrayIndex(); - ElementRegion* ER = MRMgr.getElementRegion(PointeeTy, Idx, R); + ElementRegion* ER = MRMgr.getElementRegion(PointeeTy, Idx,R,getContext()); return CastResult(state, ER); - } else + } else { + state = setCastType(state, R, ToTy); return CastResult(state, R); + } } if (isa<ObjCObjectRegion>(R)) { @@ -636,6 +733,10 @@ RegionStoreManager::CastRegion(const GRState* state, const MemRegion* R, return 0; } +//===----------------------------------------------------------------------===// +// Pointer arithmetic. +//===----------------------------------------------------------------------===// + SVal RegionStoreManager::EvalBinOp(const GRState *state, BinaryOperator::Opcode Op, Loc L, NonLoc R) { // Assume the base location is MemRegionVal. @@ -648,26 +749,37 @@ SVal RegionStoreManager::EvalBinOp(const GRState *state, // If the operand is a symbolic or alloca region, create the first element // region on it. if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(MR)) { - // Get symbol's type. It should be a pointer type. - SymbolRef Sym = SR->getSymbol(); - QualType T = Sym->getType(getContext()); + QualType T; + // If the SymbolicRegion was cast to another type, use that type. + if (const QualType *t = state->get<RegionCasts>(SR)) { + T = *t; + } else { + // Otherwise use the symbol's type. + SymbolRef Sym = SR->getSymbol(); + T = Sym->getType(getContext()); + } QualType EleTy = T->getAsPointerType()->getPointeeType(); SVal ZeroIdx = ValMgr.makeZeroArrayIndex(); - ER = MRMgr.getElementRegion(EleTy, ZeroIdx, SR); + ER = MRMgr.getElementRegion(EleTy, ZeroIdx, SR, getContext()); } else if (const AllocaRegion *AR = dyn_cast<AllocaRegion>(MR)) { // Get the alloca region's current cast type. - GRStateRef StRef(state, StateMgr); - GRStateTrait<RegionCasts>::lookup_type T = StRef.get<RegionCasts>(AR); + + GRStateTrait<RegionCasts>::lookup_type T = state->get<RegionCasts>(AR); assert(T && "alloca region has no type."); QualType EleTy = cast<PointerType>(T->getTypePtr())->getPointeeType(); SVal ZeroIdx = ValMgr.makeZeroArrayIndex(); - ER = MRMgr.getElementRegion(EleTy, ZeroIdx, AR); + ER = MRMgr.getElementRegion(EleTy, ZeroIdx, AR, getContext()); } - else + else if (isa<FieldRegion>(MR)) { + // Not track pointer arithmetic on struct fields. + return UnknownVal(); + } + else { ER = cast<ElementRegion>(MR); + } SVal Idx = ER->getIndex(); @@ -686,7 +798,8 @@ SVal RegionStoreManager::EvalBinOp(const GRState *state, Offset->getValue())); SVal NewIdx = Base->EvalBinOp(getBasicVals(), Op, OffConverted); const MemRegion* NewER = - MRMgr.getElementRegion(ER->getElementType(), NewIdx,ER->getSuperRegion()); + MRMgr.getElementRegion(ER->getElementType(), NewIdx,ER->getSuperRegion(), + getContext()); return Loc::MakeVal(NewER); } @@ -694,7 +807,12 @@ SVal RegionStoreManager::EvalBinOp(const GRState *state, return UnknownVal(); } -SVal RegionStoreManager::Retrieve(const GRState* St, Loc L, QualType T) { +//===----------------------------------------------------------------------===// +// Loading values from regions. +//===----------------------------------------------------------------------===// + +SVal RegionStoreManager::Retrieve(const GRState *state, Loc L, QualType T) { + assert(!isa<UnknownVal>(L) && "location unknown"); assert(!isa<UndefinedVal>(L) && "location undefined"); @@ -703,7 +821,7 @@ SVal RegionStoreManager::Retrieve(const GRState* St, Loc L, QualType T) { if (isa<loc::ConcreteInt>(L)) return UndefinedVal(); - const MemRegion* MR = cast<loc::MemRegionVal>(L).getRegion(); + const MemRegion *MR = cast<loc::MemRegionVal>(L).getRegion(); // FIXME: return symbolic value for these cases. // Example: @@ -716,7 +834,7 @@ SVal RegionStoreManager::Retrieve(const GRState* St, Loc L, QualType T) { // FIXME: Perhaps this method should just take a 'const MemRegion*' argument // instead of 'Loc', and have the other Loc cases handled at a higher level. - const TypedRegion* R = cast<TypedRegion>(MR); + const TypedRegion *R = cast<TypedRegion>(MR); assert(R && "bad region"); // FIXME: We should eventually handle funny addressing. e.g.: @@ -731,26 +849,24 @@ SVal RegionStoreManager::Retrieve(const GRState* St, Loc L, QualType T) { QualType RTy = R->getValueType(getContext()); if (RTy->isStructureType()) - return RetrieveStruct(St, R); + return RetrieveStruct(state, R); if (RTy->isArrayType()) - return RetrieveArray(St, R); + return RetrieveArray(state, R); // FIXME: handle Vector types. if (RTy->isVectorType()) return UnknownVal(); - RegionBindingsTy B = GetRegionBindings(St->getStore()); + RegionBindingsTy B = GetRegionBindings(state->getStore()); RegionBindingsTy::data_type* V = B.lookup(R); // Check if the region has a binding. if (V) return *V; - GRStateRef state(St, StateMgr); - // Check if the region is in killset. - if (state.contains<RegionKills>(R)) + if (state->contains<RegionKills>(R)) return UnknownVal(); // Check if the region is an element region of a string literal. @@ -775,7 +891,7 @@ SVal RegionStoreManager::Retrieve(const GRState* St, Loc L, QualType T) { if (isa<ElementRegion>(R) || isa<FieldRegion>(R)) { const MemRegion* SuperR = cast<SubRegion>(R)->getSuperRegion(); GRStateTrait<RegionDefaultValue>::lookup_type D = - state.get<RegionDefaultValue>(SuperR); + state->get<RegionDefaultValue>(SuperR); if (D) { // If the default value is symbolic, we need to create a new symbol. if (D->hasConjuredSymbol()) @@ -829,14 +945,22 @@ SVal RegionStoreManager::Retrieve(const GRState* St, Loc L, QualType T) { return UndefinedVal(); } + // If the region is already cast to another type, use that type to create the + // symbol value. + if (const QualType *p = state->get<RegionCasts>(R)) { + QualType T = *p; + RTy = T->getAsPointerType()->getPointeeType(); + } + // All other integer values are symbolic. if (Loc::IsLocType(RTy) || RTy->isIntegerType()) - return ValMgr.getRegionValueSymbolVal(R); + return ValMgr.getRegionValueSymbolVal(R, RTy); else return UnknownVal(); } -SVal RegionStoreManager::RetrieveStruct(const GRState* St,const TypedRegion* R){ +SVal RegionStoreManager::RetrieveStruct(const GRState *state, + const TypedRegion* R){ QualType T = R->getValueType(getContext()); assert(T->isStructureType()); @@ -846,6 +970,8 @@ SVal RegionStoreManager::RetrieveStruct(const GRState* St,const TypedRegion* R){ llvm::ImmutableList<SVal> StructVal = getBasicVals().getEmptySValList(); + // FIXME: We shouldn't use a std::vector. If RecordDecl doesn't have a + // reverse iterator, we should implement one. std::vector<FieldDecl *> Fields(RD->field_begin(getContext()), RD->field_end(getContext())); @@ -854,14 +980,16 @@ SVal RegionStoreManager::RetrieveStruct(const GRState* St,const TypedRegion* R){ Field != FieldEnd; ++Field) { FieldRegion* FR = MRMgr.getFieldRegion(*Field, R); QualType FTy = (*Field)->getType(); - SVal FieldValue = Retrieve(St, loc::MemRegionVal(FR), FTy); + SVal FieldValue = Retrieve(state, loc::MemRegionVal(FR), FTy); StructVal = getBasicVals().consVals(FieldValue, StructVal); } return NonLoc::MakeCompoundVal(T, StructVal, getBasicVals()); } -SVal RegionStoreManager::RetrieveArray(const GRState* St, const TypedRegion* R){ +SVal RegionStoreManager::RetrieveArray(const GRState *state, + const TypedRegion * R) { + QualType T = R->getValueType(getContext()); ConstantArrayType* CAT = cast<ConstantArrayType>(T.getTypePtr()); @@ -871,41 +999,19 @@ SVal RegionStoreManager::RetrieveArray(const GRState* St, const TypedRegion* R){ for (; i < Size; ++i) { SVal Idx = NonLoc::MakeVal(getBasicVals(), i); - ElementRegion* ER = MRMgr.getElementRegion(CAT->getElementType(), Idx, R); + ElementRegion* ER = MRMgr.getElementRegion(CAT->getElementType(), Idx, R, + getContext()); QualType ETy = ER->getElementType(); - SVal ElementVal = Retrieve(St, loc::MemRegionVal(ER), ETy); + SVal ElementVal = Retrieve(state, loc::MemRegionVal(ER), ETy); ArrayVal = getBasicVals().consVals(ElementVal, ArrayVal); } return NonLoc::MakeCompoundVal(T, ArrayVal, getBasicVals()); } -const GRState* RegionStoreManager::Bind(const GRState* St, Loc L, SVal V) { - // If we get here, the location should be a region. - const MemRegion* R = cast<loc::MemRegionVal>(L).getRegion(); - assert(R); - - // Check if the region is a struct region. - if (const TypedRegion* TR = dyn_cast<TypedRegion>(R)) - if (TR->getValueType(getContext())->isStructureType()) - return BindStruct(St, TR, V); - - Store store = St->getStore(); - RegionBindingsTy B = GetRegionBindings(store); - - if (V.isUnknown()) { - // Remove the binding. - store = RBFactory.Remove(B, R).getRoot(); - - // Add the region to the killset. - GRStateRef state(St, StateMgr); - St = state.add<RegionKills>(R); - } - else - store = RBFactory.Add(B, R, V).getRoot(); - - return StateMgr.MakeStateWithStore(St, store); -} +//===----------------------------------------------------------------------===// +// Binding values to regions. +//===----------------------------------------------------------------------===// Store RegionStoreManager::Remove(Store store, Loc L) { const MemRegion* R = 0; @@ -921,34 +1027,235 @@ Store RegionStoreManager::Remove(Store store, Loc L) { return store; } -const GRState* RegionStoreManager::BindDecl(const GRState* St, +const GRState *RegionStoreManager::Bind(const GRState *state, Loc L, SVal V) { + // If we get here, the location should be a region. + const MemRegion* R = cast<loc::MemRegionVal>(L).getRegion(); + + // Check if the region is a struct region. + if (const TypedRegion* TR = dyn_cast<TypedRegion>(R)) + if (TR->getValueType(getContext())->isStructureType()) + return BindStruct(state, TR, V); + + RegionBindingsTy B = GetRegionBindings(state->getStore()); + + if (V.isUnknown()) { + B = RBFactory.Remove(B, R); // Remove the binding. + state = state->add<RegionKills>(R); // Add the region to the killset. + } + else + B = RBFactory.Add(B, R, V); + + return state->makeWithStore(B.getRoot()); +} + +const GRState *RegionStoreManager::BindDecl(const GRState *state, const VarDecl* VD, SVal InitVal) { QualType T = VD->getType(); VarRegion* VR = MRMgr.getVarRegion(VD); if (T->isArrayType()) - return BindArray(St, VR, InitVal); + return BindArray(state, VR, InitVal); if (T->isStructureType()) - return BindStruct(St, VR, InitVal); + return BindStruct(state, VR, InitVal); - return Bind(St, Loc::MakeVal(VR), InitVal); + return Bind(state, Loc::MakeVal(VR), InitVal); } // FIXME: this method should be merged into Bind(). -const GRState* -RegionStoreManager::BindCompoundLiteral(const GRState* St, - const CompoundLiteralExpr* CL, SVal V) { +const GRState * +RegionStoreManager::BindCompoundLiteral(const GRState *state, + const CompoundLiteralExpr* CL, + SVal V) { + CompoundLiteralRegion* R = MRMgr.getCompoundLiteralRegion(CL); - return Bind(St, loc::MemRegionVal(R), V); + return Bind(state, loc::MemRegionVal(R), V); } -const GRState* RegionStoreManager::setExtent(const GRState* St, - const MemRegion* R, SVal Extent) { - GRStateRef state(St, StateMgr); - return state.set<RegionExtents>(R, Extent); +const GRState *RegionStoreManager::BindArray(const GRState *state, + const TypedRegion* R, + SVal Init) { + + QualType T = R->getValueType(getContext()); + assert(T->isArrayType()); + + // When we are binding the whole array, it always has default value 0. + state = state->set<RegionDefaultValue>(R, NonLoc::MakeIntVal(getBasicVals(), + 0, false)); + + ConstantArrayType* CAT = cast<ConstantArrayType>(T.getTypePtr()); + + llvm::APSInt Size(CAT->getSize(), false); + llvm::APSInt i = getBasicVals().getValue(0, Size.getBitWidth(), + Size.isUnsigned()); + + // Check if the init expr is a StringLiteral. + if (isa<loc::MemRegionVal>(Init)) { + const MemRegion* InitR = cast<loc::MemRegionVal>(Init).getRegion(); + const StringLiteral* S = cast<StringRegion>(InitR)->getStringLiteral(); + const char* str = S->getStrData(); + unsigned len = S->getByteLength(); + unsigned j = 0; + + // Copy bytes from the string literal into the target array. Trailing bytes + // in the array that are not covered by the string literal are initialized + // to zero. + for (; i < Size; ++i, ++j) { + if (j >= len) + break; + + SVal Idx = NonLoc::MakeVal(getBasicVals(), i); + ElementRegion* ER = + MRMgr.getElementRegion(cast<ArrayType>(T)->getElementType(), + Idx, R, getContext()); + + SVal V = NonLoc::MakeVal(getBasicVals(), str[j], sizeof(char)*8, true); + state = Bind(state, loc::MemRegionVal(ER), V); + } + + return state; + } + + nonloc::CompoundVal& CV = cast<nonloc::CompoundVal>(Init); + nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end(); + + for (; i < Size; ++i, ++VI) { + // The init list might be shorter than the array decl. + if (VI == VE) + break; + + SVal Idx = NonLoc::MakeVal(getBasicVals(), i); + ElementRegion* ER = + MRMgr.getElementRegion(cast<ArrayType>(T)->getElementType(), + Idx, R, getContext()); + + if (CAT->getElementType()->isStructureType()) + state = BindStruct(state, ER, *VI); + else + state = Bind(state, Loc::MakeVal(ER), *VI); + } + + return state; } +const GRState * +RegionStoreManager::BindStruct(const GRState *state, const TypedRegion* R, + SVal V) { + + if (!Features.supportsFields()) + return state; + + QualType T = R->getValueType(getContext()); + assert(T->isStructureType()); + + const RecordType* RT = T->getAsRecordType(); + RecordDecl* RD = RT->getDecl(); + + if (!RD->isDefinition()) + return state; + + // We may get non-CompoundVal accidentally due to imprecise cast logic. + // Ignore them and kill the field values. + if (V.isUnknown() || !isa<nonloc::CompoundVal>(V)) + return KillStruct(state, R); + + nonloc::CompoundVal& CV = cast<nonloc::CompoundVal>(V); + nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end(); + + for (RecordDecl::field_iterator FI = RD->field_begin(getContext()), + FE = RD->field_end(getContext()); + FI != FE; ++FI, ++VI) { + + // There may be fewer values than fields only when we are initializing a + // struct decl. In this case, mark the region as having default value. + if (VI == VE) { + const NonLoc& Idx = NonLoc::MakeIntVal(getBasicVals(), 0, false); + state = state->set<RegionDefaultValue>(R, Idx); + break; + } + + QualType FTy = (*FI)->getType(); + FieldRegion* FR = MRMgr.getFieldRegion(*FI, R); + + if (Loc::IsLocType(FTy) || FTy->isIntegerType()) + state = Bind(state, Loc::MakeVal(FR), *VI); + else if (FTy->isArrayType()) + state = BindArray(state, FR, *VI); + else if (FTy->isStructureType()) + state = BindStruct(state, FR, *VI); + } + + return state; +} + +const GRState *RegionStoreManager::KillStruct(const GRState *state, + const TypedRegion* R){ + + // (1) Kill the struct region because it is assigned "unknown". + // (2) Set the default value of the struct region to "unknown". + state = state->add<RegionKills>(R)->set<RegionDefaultValue>(R, UnknownVal()); + Store store = state->getStore(); + RegionBindingsTy B = GetRegionBindings(store); + + // Remove all bindings for the subregions of the struct. + for (RegionBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) { + const MemRegion* R = I.getKey(); + if (const SubRegion* subRegion = dyn_cast<SubRegion>(R)) + if (subRegion->isSubRegionOf(R)) + store = Remove(store, Loc::MakeVal(subRegion)); + // FIXME: Maybe we should also remove the bindings for the "views" of the + // subregions. + } + + return state->makeWithStore(store); +} + +//===----------------------------------------------------------------------===// +// Region views. +//===----------------------------------------------------------------------===// + +const GRState *RegionStoreManager::AddRegionView(const GRState *state, + const MemRegion* View, + const MemRegion* Base) { + + // First, retrieve the region view of the base region. + const RegionViews* d = state->get<RegionViewMap>(Base); + RegionViews L = d ? *d : RVFactory.GetEmptySet(); + + // Now add View to the region view. + L = RVFactory.Add(L, View); + + // Create a new state with the new region view. + return state->set<RegionViewMap>(Base, L); +} + +const GRState *RegionStoreManager::RemoveRegionView(const GRState *state, + const MemRegion* View, + const MemRegion* Base) { + // Retrieve the region view of the base region. + const RegionViews* d = state->get<RegionViewMap>(Base); + + // If the base region has no view, return. + if (!d) + return state; + + // Remove the view. + return state->set<RegionViewMap>(Base, RVFactory.Remove(*d, View)); +} + +const GRState *RegionStoreManager::setCastType(const GRState *state, + const MemRegion* R, QualType T) { + return state->set<RegionCasts>(R, T); +} + +const GRState *RegionStoreManager::setDefaultValue(const GRState *state, + const MemRegion* R, SVal V) { + return state->set<RegionDefaultValue>(R, V); +} + +//===----------------------------------------------------------------------===// +// State pruning. +//===----------------------------------------------------------------------===// static void UpdateLiveSymbols(SVal X, SymbolReaper& SymReaper) { if (loc::MemRegionVal *XR = dyn_cast<loc::MemRegionVal>(&X)) { @@ -975,11 +1282,10 @@ static void UpdateLiveSymbols(SVal X, SymbolReaper& SymReaper) { SymReaper.markLive(*SI); } -Store RegionStoreManager::RemoveDeadBindings(const GRState* state, Stmt* Loc, +Store RegionStoreManager::RemoveDeadBindings(const GRState *state, Stmt* Loc, SymbolReaper& SymReaper, llvm::SmallVectorImpl<const MemRegion*>& RegionRoots) -{ - +{ Store store = state->getStore(); RegionBindingsTy B = GetRegionBindings(store); @@ -1002,18 +1308,17 @@ Store RegionStoreManager::RemoveDeadBindings(const GRState* state, Stmt* Loc, // Do a pass over the regions in the store. For VarRegions we check if // the variable is still live and if so add it to the list of live roots. - // For other regions we populate our region backmap. - + // For other regions we populate our region backmap. llvm::SmallVector<const MemRegion*, 10> IntermediateRoots; - + for (RegionBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) { IntermediateRoots.push_back(I.getKey()); } - + while (!IntermediateRoots.empty()) { const MemRegion* R = IntermediateRoots.back(); IntermediateRoots.pop_back(); - + if (const VarRegion* VR = dyn_cast<VarRegion>(R)) { if (SymReaper.isLive(Loc, VR->getDecl())) RegionRoots.push_back(VR); // This is a live "root". @@ -1025,14 +1330,14 @@ Store RegionStoreManager::RemoveDeadBindings(const GRState* state, Stmt* Loc, else { // Get the super region for R. const MemRegion* SuperR = cast<SubRegion>(R)->getSuperRegion(); - + // Get the current set of subregions for SuperR. const SubRegionsTy* SRptr = SubRegMap.lookup(SuperR); SubRegionsTy SRs = SRptr ? *SRptr : SubRegF.GetEmptySet(); - + // Add R to the subregions of SuperR. SubRegMap = SubRegMapF.Add(SubRegMap, SuperR, SubRegF.Add(SRs, R)); - + // Super region may be VarRegion or subregion of another VarRegion. Add it // to the work list. if (isa<SubRegion>(SuperR)) @@ -1048,10 +1353,10 @@ Store RegionStoreManager::RemoveDeadBindings(const GRState* state, Stmt* Loc, // Dequeue the next region on the worklist. const MemRegion* R = RegionRoots.back(); RegionRoots.pop_back(); - + // Check if we have already processed this region. if (Marked.count(R)) continue; - + // Mark this region as processed. This is needed for termination in case // a region is referenced more than once. Marked.insert(R); @@ -1060,13 +1365,13 @@ Store RegionStoreManager::RemoveDeadBindings(const GRState* state, Stmt* Loc, // should continue to track that symbol. if (const SymbolicRegion* SymR = dyn_cast<SymbolicRegion>(R)) SymReaper.markLive(SymR->getSymbol()); - + // Get the data binding for R (if any). RegionBindingsTy::data_type* Xptr = B.lookup(R); if (Xptr) { SVal X = *Xptr; UpdateLiveSymbols(X, SymReaper); // Update the set of live symbols. - + // If X is a region, then add it the RegionRoots. if (loc::MemRegionVal* RegionX = dyn_cast<loc::MemRegionVal>(&X)) RegionRoots.push_back(RegionX->getRegion()); @@ -1094,11 +1399,11 @@ Store RegionStoreManager::RemoveDeadBindings(const GRState* state, Stmt* Loc, // Remove this dead region from the store. store = Remove(store, Loc::MakeVal(R)); - + // Mark all non-live symbols that this region references as dead. if (const SymbolicRegion* SymR = dyn_cast<SymbolicRegion>(R)) SymReaper.maybeDead(SymR->getSymbol()); - + SVal X = I.getData(); SVal::symbol_iterator SI = X.symbol_begin(), SE = X.symbol_end(); for (; SI != SE; ++SI) SymReaper.maybeDead(*SI); @@ -1107,203 +1412,18 @@ Store RegionStoreManager::RemoveDeadBindings(const GRState* state, Stmt* Loc, return store; } +//===----------------------------------------------------------------------===// +// Utility methods. +//===----------------------------------------------------------------------===// + void RegionStoreManager::print(Store store, std::ostream& Out, const char* nl, const char *sep) { llvm::raw_os_ostream OS(Out); RegionBindingsTy B = GetRegionBindings(store); OS << "Store:" << nl; - + for (RegionBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) { OS << ' '; I.getKey()->print(OS); OS << " : "; I.getData().print(OS); OS << nl; } } - -const GRState* RegionStoreManager::BindArray(const GRState* St, - const TypedRegion* R, SVal Init) { - QualType T = R->getValueType(getContext()); - assert(T->isArrayType()); - - // When we are binding the whole array, it always has default value 0. - GRStateRef state(St, StateMgr); - St = state.set<RegionDefaultValue>(R, NonLoc::MakeIntVal(getBasicVals(), 0, - false)); - - ConstantArrayType* CAT = cast<ConstantArrayType>(T.getTypePtr()); - - llvm::APSInt Size(CAT->getSize(), false); - llvm::APSInt i = getBasicVals().getValue(0, Size.getBitWidth(), - Size.isUnsigned()); - - // Check if the init expr is a StringLiteral. - if (isa<loc::MemRegionVal>(Init)) { - const MemRegion* InitR = cast<loc::MemRegionVal>(Init).getRegion(); - const StringLiteral* S = cast<StringRegion>(InitR)->getStringLiteral(); - const char* str = S->getStrData(); - unsigned len = S->getByteLength(); - unsigned j = 0; - - // Copy bytes from the string literal into the target array. Trailing bytes - // in the array that are not covered by the string literal are initialized - // to zero. - for (; i < Size; ++i, ++j) { - if (j >= len) - break; - - SVal Idx = NonLoc::MakeVal(getBasicVals(), i); - ElementRegion* ER = - MRMgr.getElementRegion(cast<ArrayType>(T)->getElementType(), - Idx, R); - - SVal V = NonLoc::MakeVal(getBasicVals(), str[j], sizeof(char)*8, true); - St = Bind(St, loc::MemRegionVal(ER), V); - } - - return St; - } - - nonloc::CompoundVal& CV = cast<nonloc::CompoundVal>(Init); - nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end(); - - for (; i < Size; ++i, ++VI) { - // The init list might be shorter than the array decl. - if (VI == VE) - break; - - SVal Idx = NonLoc::MakeVal(getBasicVals(), i); - ElementRegion* ER = - MRMgr.getElementRegion(cast<ArrayType>(T)->getElementType(), - Idx, R); - - if (CAT->getElementType()->isStructureType()) - St = BindStruct(St, ER, *VI); - else - St = Bind(St, Loc::MakeVal(ER), *VI); - } - - return St; -} - -const GRState* -RegionStoreManager::BindStruct(const GRState* St, const TypedRegion* R, SVal V){ - QualType T = R->getValueType(getContext()); - assert(T->isStructureType()); - - const RecordType* RT = T->getAsRecordType(); - RecordDecl* RD = RT->getDecl(); - - if (!RD->isDefinition()) - return St; - - if (V.isUnknown()) - return KillStruct(St, R); - - // We may get non-CompoundVal accidentally due to imprecise cast logic. Ignore - // them and make struct unknown. - if (!isa<nonloc::CompoundVal>(V)) - return KillStruct(St, R); - - nonloc::CompoundVal& CV = cast<nonloc::CompoundVal>(V); - nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end(); - RecordDecl::field_iterator FI = RD->field_begin(getContext()), - FE = RD->field_end(getContext()); - - for (; FI != FE; ++FI, ++VI) { - - // There may be fewer values than fields only when we are initializing a - // struct decl. In this case, mark the region as having default value. - if (VI == VE) { - GRStateRef state(St, StateMgr); - const NonLoc& Idx = NonLoc::MakeIntVal(getBasicVals(), 0, false); - St = state.set<RegionDefaultValue>(R, Idx); - break; - } - - QualType FTy = (*FI)->getType(); - FieldRegion* FR = MRMgr.getFieldRegion(*FI, R); - - if (Loc::IsLocType(FTy) || FTy->isIntegerType()) - St = Bind(St, Loc::MakeVal(FR), *VI); - - else if (FTy->isArrayType()) - St = BindArray(St, FR, *VI); - - else if (FTy->isStructureType()) - St = BindStruct(St, FR, *VI); - } - - return St; -} - -const GRState* RegionStoreManager::KillStruct(const GRState* St, - const TypedRegion* R){ - GRStateRef state(St, StateMgr); - - // Kill the struct region because it is assigned "unknown". - St = state.add<RegionKills>(R); - - // Set the default value of the struct region to "unknown". - St = state.set<RegionDefaultValue>(R, UnknownVal()); - - Store store = St->getStore(); - RegionBindingsTy B = GetRegionBindings(store); - - // Remove all bindings for the subregions of the struct. - for (RegionBindingsTy::iterator I = B.begin(), E = B.end(); I != E; ++I) { - const MemRegion* r = I.getKey(); - if (const SubRegion* sr = dyn_cast<SubRegion>(r)) - if (sr->isSubRegionOf(R)) - store = Remove(store, Loc::MakeVal(sr)); - // FIXME: Maybe we should also remove the bindings for the "views" of the - // subregions. - } - - return StateMgr.MakeStateWithStore(St, store); -} - -const GRState* RegionStoreManager::AddRegionView(const GRState* St, - const MemRegion* View, - const MemRegion* Base) { - GRStateRef state(St, StateMgr); - - // First, retrieve the region view of the base region. - const RegionViews* d = state.get<RegionViewMap>(Base); - RegionViews L = d ? *d : RVFactory.GetEmptySet(); - - // Now add View to the region view. - L = RVFactory.Add(L, View); - - // Create a new state with the new region view. - return state.set<RegionViewMap>(Base, L); -} - -const GRState* RegionStoreManager::RemoveRegionView(const GRState* St, - const MemRegion* View, - const MemRegion* Base) { - GRStateRef state(St, StateMgr); - - // Retrieve the region view of the base region. - const RegionViews* d = state.get<RegionViewMap>(Base); - - // If the base region has no view, return. - if (!d) - return St; - - // Remove the view. - RegionViews V = *d; - V = RVFactory.Remove(V, View); - - return state.set<RegionViewMap>(Base, V); -} - -const GRState* RegionStoreManager::setCastType(const GRState* St, - const MemRegion* R, QualType T) { - GRStateRef state(St, StateMgr); - return state.set<RegionCasts>(R, T); -} - -const GRState* RegionStoreManager::setDefaultValue(const GRState* St, - const MemRegion* R, SVal V) { - GRStateRef state(St, StateMgr); - return state.set<RegionDefaultValue>(R, V); -} |
