//== BasicConstraintManager.cpp - Manage basic constraints.------*- C++ -*--==// // // The LLVM Compiler Infrastructure // // This file is distributed under the University of Illinois Open Source // License. See LICENSE.TXT for details. // //===----------------------------------------------------------------------===// // // This file defines BasicConstraintManager, a class that tracks simple // equality and inequality constraints on symbolic values of ProgramState. // //===----------------------------------------------------------------------===// #include "SimpleConstraintManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "llvm/Support/raw_ostream.h" using namespace clang; using namespace ento; namespace { class ConstNotEq {}; } namespace { class ConstEq {}; } typedef llvm::ImmutableMap ConstNotEqTy; typedef llvm::ImmutableMap ConstEqTy; static int ConstEqIndex = 0; static int ConstNotEqIndex = 0; namespace clang { namespace ento { template<> struct ProgramStateTrait : public ProgramStatePartialTrait { static inline void *GDMIndex() { return &ConstNotEqIndex; } }; template<> struct ProgramStateTrait : public ProgramStatePartialTrait { static inline void *GDMIndex() { return &ConstEqIndex; } }; } } namespace { // BasicConstraintManager only tracks equality and inequality constraints of // constants and integer variables. class BasicConstraintManager : public SimpleConstraintManager { ProgramState::IntSetTy::Factory ISetFactory; public: BasicConstraintManager(ProgramStateManager &statemgr, SubEngine &subengine) : SimpleConstraintManager(subengine, statemgr.getBasicVals()), ISetFactory(statemgr.getAllocator()) {} ProgramStateRef assumeSymEquality(ProgramStateRef State, SymbolRef Sym, const llvm::APSInt &V, const llvm::APSInt &Adjustment, bool Assumption); ProgramStateRef assumeSymNE(ProgramStateRef State, SymbolRef Sym, const llvm::APSInt &V, const llvm::APSInt &Adjustment) { return assumeSymEquality(State, Sym, V, Adjustment, false); } ProgramStateRef assumeSymEQ(ProgramStateRef State, SymbolRef Sym, const llvm::APSInt &V, const llvm::APSInt &Adjustment) { return assumeSymEquality(State, Sym, V, Adjustment, true); } ProgramStateRef assumeSymLT(ProgramStateRef state, SymbolRef sym, const llvm::APSInt& V, const llvm::APSInt& Adjustment); ProgramStateRef assumeSymGT(ProgramStateRef state, SymbolRef sym, const llvm::APSInt& V, const llvm::APSInt& Adjustment); ProgramStateRef assumeSymGE(ProgramStateRef state, SymbolRef sym, const llvm::APSInt& V, const llvm::APSInt& Adjustment); ProgramStateRef assumeSymLE(ProgramStateRef state, SymbolRef sym, const llvm::APSInt& V, const llvm::APSInt& Adjustment); ProgramStateRef AddEQ(ProgramStateRef state, SymbolRef sym, const llvm::APSInt& V); ProgramStateRef AddNE(ProgramStateRef state, SymbolRef sym, const llvm::APSInt& V); const llvm::APSInt* getSymVal(ProgramStateRef state, SymbolRef sym) const; bool isNotEqual(ProgramStateRef state, SymbolRef sym, const llvm::APSInt& V) const; bool isEqual(ProgramStateRef state, SymbolRef sym, const llvm::APSInt& V) const; ProgramStateRef removeDeadBindings(ProgramStateRef state, SymbolReaper& SymReaper); bool performTest(llvm::APSInt SymVal, llvm::APSInt Adjustment, BinaryOperator::Opcode Op, llvm::APSInt ComparisonVal); void print(ProgramStateRef state, raw_ostream &Out, const char* nl, const char *sep); }; } // end anonymous namespace ConstraintManager* ento::CreateBasicConstraintManager(ProgramStateManager& statemgr, SubEngine &subengine) { return new BasicConstraintManager(statemgr, subengine); } // FIXME: This is a more general utility and should live somewhere else. bool BasicConstraintManager::performTest(llvm::APSInt SymVal, llvm::APSInt Adjustment, BinaryOperator::Opcode Op, llvm::APSInt ComparisonVal) { APSIntType Type(Adjustment); Type.apply(SymVal); Type.apply(ComparisonVal); SymVal += Adjustment; assert(BinaryOperator::isComparisonOp(Op)); BasicValueFactory &BVF = getBasicVals(); const llvm::APSInt *Result = BVF.evalAPSInt(Op, SymVal, ComparisonVal); assert(Result && "Comparisons should always have valid results."); return Result->getBoolValue(); } ProgramStateRef BasicConstraintManager::assumeSymEquality(ProgramStateRef State, SymbolRef Sym, const llvm::APSInt &V, const llvm::APSInt &Adjustment, bool Assumption) { // Before we do any real work, see if the value can even show up. APSIntType AdjustmentType(Adjustment); if (AdjustmentType.testInRange(V) != APSIntType::RTR_Within) return Assumption ? NULL : State; // Get the symbol type. BasicValueFactory &BVF = getBasicVals(); ASTContext &Ctx = BVF.getContext(); APSIntType SymbolType = BVF.getAPSIntType(Sym->getType(Ctx)); // First, see if the adjusted value is within range for the symbol. llvm::APSInt Adjusted = AdjustmentType.convert(V) - Adjustment; if (SymbolType.testInRange(Adjusted) != APSIntType::RTR_Within) return Assumption ? NULL : State; // Now we can do things properly in the symbol space. SymbolType.apply(Adjusted); // Second, determine if sym == X, where X+Adjustment != V. if (const llvm::APSInt *X = getSymVal(State, Sym)) { bool IsFeasible = (*X == Adjusted); return (IsFeasible == Assumption) ? State : NULL; } // Third, determine if we already know sym+Adjustment != V. if (isNotEqual(State, Sym, Adjusted)) return Assumption ? NULL : State; // If we reach here, sym is not a constant and we don't know if it is != V. // Make the correct assumption. if (Assumption) return AddEQ(State, Sym, Adjusted); else return AddNE(State, Sym, Adjusted); } // The logic for these will be handled in another ConstraintManager. // Approximate it here anyway by handling some edge cases. ProgramStateRef BasicConstraintManager::assumeSymLT(ProgramStateRef state, SymbolRef sym, const llvm::APSInt &V, const llvm::APSInt &Adjustment) { APSIntType ComparisonType(V), AdjustmentType(Adjustment); // Is 'V' out of range above the type? llvm::APSInt Max = AdjustmentType.getMaxValue(); if (V > ComparisonType.convert(Max)) { // This path is trivially feasible. return state; } // Is 'V' the smallest possible value, or out of range below the type? llvm::APSInt Min = AdjustmentType.getMinValue(); if (V <= ComparisonType.convert(Min)) { // sym cannot be any value less than 'V'. This path is infeasible. return NULL; } // Reject a path if the value of sym is a constant X and !(X+Adj < V). if (const llvm::APSInt *X = getSymVal(state, sym)) { bool isFeasible = performTest(*X, Adjustment, BO_LT, V); return isFeasible ? state : NULL; } // FIXME: For now have assuming x < y be the same as assuming sym != V; return assumeSymNE(state, sym, V, Adjustment); } ProgramStateRef BasicConstraintManager::assumeSymGT(ProgramStateRef state, SymbolRef sym, const llvm::APSInt &V, const llvm::APSInt &Adjustment) { APSIntType ComparisonType(V), AdjustmentType(Adjustment); // Is 'V' the largest possible value, or out of range above the type? llvm::APSInt Max = AdjustmentType.getMaxValue(); if (V >= ComparisonType.convert(Max)) { // sym cannot be any value greater than 'V'. This path is infeasible. return NULL; } // Is 'V' out of range below the type? llvm::APSInt Min = AdjustmentType.getMinValue(); if (V < ComparisonType.convert(Min)) { // This path is trivially feasible. return state; } // Reject a path if the value of sym is a constant X and !(X+Adj > V). if (const llvm::APSInt *X = getSymVal(state, sym)) { bool isFeasible = performTest(*X, Adjustment, BO_GT, V); return isFeasible ? state : NULL; } // FIXME: For now have assuming x > y be the same as assuming sym != V; return assumeSymNE(state, sym, V, Adjustment); } ProgramStateRef BasicConstraintManager::assumeSymGE(ProgramStateRef state, SymbolRef sym, const llvm::APSInt &V, const llvm::APSInt &Adjustment) { APSIntType ComparisonType(V), AdjustmentType(Adjustment); // Is 'V' the largest possible value, or out of range above the type? llvm::APSInt Max = AdjustmentType.getMaxValue(); ComparisonType.apply(Max); if (V > Max) { // sym cannot be any value greater than 'V'. This path is infeasible. return NULL; } else if (V == Max) { // If the path is feasible then as a consequence we know that // 'sym+Adjustment == V' because there are no larger values. // Add this constraint. return assumeSymEQ(state, sym, V, Adjustment); } // Is 'V' out of range below the type? llvm::APSInt Min = AdjustmentType.getMinValue(); if (V < ComparisonType.convert(Min)) { // This path is trivially feasible. return state; } // Reject a path if the value of sym is a constant X and !(X+Adj >= V). if (const llvm::APSInt *X = getSymVal(state, sym)) { bool isFeasible = performTest(*X, Adjustment, BO_GE, V); return isFeasible ? state : NULL; } return state; } ProgramStateRef BasicConstraintManager::assumeSymLE(ProgramStateRef state, SymbolRef sym, const llvm::APSInt &V, const llvm::APSInt &Adjustment) { APSIntType ComparisonType(V), AdjustmentType(Adjustment); // Is 'V' out of range above the type? llvm::APSInt Max = AdjustmentType.getMaxValue(); if (V > ComparisonType.convert(Max)) { // This path is trivially feasible. return state; } // Is 'V' the smallest possible value, or out of range below the type? llvm::APSInt Min = AdjustmentType.getMinValue(); ComparisonType.apply(Min); if (V < Min) { // sym cannot be any value less than 'V'. This path is infeasible. return NULL; } else if (V == Min) { // If the path is feasible then as a consequence we know that // 'sym+Adjustment == V' because there are no smaller values. // Add this constraint. return assumeSymEQ(state, sym, V, Adjustment); } // Reject a path if the value of sym is a constant X and !(X+Adj >= V). if (const llvm::APSInt *X = getSymVal(state, sym)) { bool isFeasible = performTest(*X, Adjustment, BO_LE, V); return isFeasible ? state : NULL; } return state; } ProgramStateRef BasicConstraintManager::AddEQ(ProgramStateRef state, SymbolRef sym, const llvm::APSInt& V) { // Now that we have an actual value, we can throw out the NE-set. // Create a new state with the old bindings replaced. state = state->remove(sym); return state->set(sym, &getBasicVals().getValue(V)); } ProgramStateRef BasicConstraintManager::AddNE(ProgramStateRef state, SymbolRef sym, const llvm::APSInt& V) { // First, retrieve the NE-set associated with the given symbol. ConstNotEqTy::data_type* T = state->get(sym); ProgramState::IntSetTy S = T ? *T : ISetFactory.getEmptySet(); // Now add V to the NE set. S = ISetFactory.add(S, &getBasicVals().getValue(V)); // Create a new state with the old binding replaced. return state->set(sym, S); } const llvm::APSInt* BasicConstraintManager::getSymVal(ProgramStateRef state, SymbolRef sym) const { const ConstEqTy::data_type* T = state->get(sym); return T ? *T : NULL; } bool BasicConstraintManager::isNotEqual(ProgramStateRef state, SymbolRef sym, const llvm::APSInt& V) const { // Retrieve the NE-set associated with the given symbol. const ConstNotEqTy::data_type* T = state->get(sym); // See if V is present in the NE-set. return T ? T->contains(&getBasicVals().getValue(V)) : false; } bool BasicConstraintManager::isEqual(ProgramStateRef state, SymbolRef sym, const llvm::APSInt& V) const { // Retrieve the EQ-set associated with the given symbol. const ConstEqTy::data_type* T = state->get(sym); // See if V is present in the EQ-set. return T ? **T == V : false; } /// Scan all symbols referenced by the constraints. If the symbol is not alive /// as marked in LSymbols, mark it as dead in DSymbols. ProgramStateRef BasicConstraintManager::removeDeadBindings(ProgramStateRef state, SymbolReaper& SymReaper) { ConstEqTy CE = state->get(); ConstEqTy::Factory& CEFactory = state->get_context(); for (ConstEqTy::iterator I = CE.begin(), E = CE.end(); I!=E; ++I) { SymbolRef sym = I.getKey(); if (SymReaper.maybeDead(sym)) CE = CEFactory.remove(CE, sym); } state = state->set(CE); ConstNotEqTy CNE = state->get(); ConstNotEqTy::Factory& CNEFactory = state->get_context(); for (ConstNotEqTy::iterator I = CNE.begin(), E = CNE.end(); I != E; ++I) { SymbolRef sym = I.getKey(); if (SymReaper.maybeDead(sym)) CNE = CNEFactory.remove(CNE, sym); } return state->set(CNE); } void BasicConstraintManager::print(ProgramStateRef state, raw_ostream &Out, const char* nl, const char *sep) { // Print equality constraints. ConstEqTy CE = state->get(); if (!CE.isEmpty()) { Out << nl << sep << "'==' constraints:"; for (ConstEqTy::iterator I = CE.begin(), E = CE.end(); I!=E; ++I) Out << nl << " $" << I.getKey() << " : " << *I.getData(); } // Print != constraints. ConstNotEqTy CNE = state->get(); if (!CNE.isEmpty()) { Out << nl << sep << "'!=' constraints:"; for (ConstNotEqTy::iterator I = CNE.begin(), EI = CNE.end(); I!=EI; ++I) { Out << nl << " $" << I.getKey() << " : "; bool isFirst = true; ProgramState::IntSetTy::iterator J = I.getData().begin(), EJ = I.getData().end(); for ( ; J != EJ; ++J) { if (isFirst) isFirst = false; else Out << ", "; Out << (*J)->getSExtValue(); // Hack: should print to raw_ostream. } } } }