| 1 | //=-- ExprEngineC.cpp - ExprEngine support for C expressions ----*- C++ -*-===// |
|---|---|
| 2 | // |
| 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
| 4 | // See https://llvm.org/LICENSE.txt for license information. |
| 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
| 6 | // |
| 7 | //===----------------------------------------------------------------------===// |
| 8 | // |
| 9 | // This file defines ExprEngine's support for C expressions. |
| 10 | // |
| 11 | //===----------------------------------------------------------------------===// |
| 12 | |
| 13 | #include "clang/AST/DeclCXX.h" |
| 14 | #include "clang/AST/ExprCXX.h" |
| 15 | #include "clang/StaticAnalyzer/Core/CheckerManager.h" |
| 16 | #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" |
| 17 | #include <optional> |
| 18 | |
| 19 | using namespace clang; |
| 20 | using namespace ento; |
| 21 | using llvm::APSInt; |
| 22 | |
| 23 | /// Optionally conjure and return a symbol for offset when processing |
| 24 | /// \p Elem. |
| 25 | /// If \p Other is a location, conjure a symbol for \p Symbol |
| 26 | /// (offset) if it is unknown so that memory arithmetic always |
| 27 | /// results in an ElementRegion. |
| 28 | /// \p Count The number of times the current basic block was visited. |
| 29 | static SVal conjureOffsetSymbolOnLocation(SVal Symbol, SVal Other, |
| 30 | ConstCFGElementRef Elem, QualType Ty, |
| 31 | SValBuilder &svalBuilder, |
| 32 | unsigned Count, |
| 33 | const LocationContext *LCtx) { |
| 34 | if (isa<Loc>(Val: Other) && Ty->isIntegralOrEnumerationType() && |
| 35 | Symbol.isUnknown()) { |
| 36 | return svalBuilder.conjureSymbolVal(elem: Elem, LCtx, type: Ty, visitCount: Count); |
| 37 | } |
| 38 | return Symbol; |
| 39 | } |
| 40 | |
| 41 | void ExprEngine::VisitBinaryOperator(const BinaryOperator* B, |
| 42 | ExplodedNode *Pred, |
| 43 | ExplodedNodeSet &Dst) { |
| 44 | |
| 45 | Expr *LHS = B->getLHS()->IgnoreParens(); |
| 46 | Expr *RHS = B->getRHS()->IgnoreParens(); |
| 47 | |
| 48 | // FIXME: Prechecks eventually go in ::Visit(). |
| 49 | ExplodedNodeSet CheckedSet; |
| 50 | ExplodedNodeSet Tmp2; |
| 51 | getCheckerManager().runCheckersForPreStmt(Dst&: CheckedSet, Src: Pred, S: B, Eng&: *this); |
| 52 | |
| 53 | // With both the LHS and RHS evaluated, process the operation itself. |
| 54 | for (ExplodedNodeSet::iterator it=CheckedSet.begin(), ei=CheckedSet.end(); |
| 55 | it != ei; ++it) { |
| 56 | |
| 57 | ProgramStateRef state = (*it)->getState(); |
| 58 | const LocationContext *LCtx = (*it)->getLocationContext(); |
| 59 | SVal LeftV = state->getSVal(Ex: LHS, LCtx); |
| 60 | SVal RightV = state->getSVal(Ex: RHS, LCtx); |
| 61 | |
| 62 | BinaryOperator::Opcode Op = B->getOpcode(); |
| 63 | |
| 64 | if (Op == BO_Assign) { |
| 65 | // EXPERIMENTAL: "Conjured" symbols. |
| 66 | // FIXME: Handle structs. |
| 67 | if (RightV.isUnknown()) { |
| 68 | unsigned Count = currBldrCtx->blockCount(); |
| 69 | RightV = svalBuilder.conjureSymbolVal(symbolTag: nullptr, elem: getCFGElementRef(), LCtx, |
| 70 | count: Count); |
| 71 | } |
| 72 | // Simulate the effects of a "store": bind the value of the RHS |
| 73 | // to the L-Value represented by the LHS. |
| 74 | SVal ExprVal = B->isGLValue() ? LeftV : RightV; |
| 75 | evalStore(Dst&: Tmp2, AssignE: B, StoreE: LHS, Pred: *it, St: state->BindExpr(S: B, LCtx, V: ExprVal), |
| 76 | TargetLV: LeftV, Val: RightV); |
| 77 | continue; |
| 78 | } |
| 79 | |
| 80 | if (!B->isAssignmentOp()) { |
| 81 | StmtNodeBuilder Bldr(*it, Tmp2, *currBldrCtx); |
| 82 | |
| 83 | if (B->isAdditiveOp()) { |
| 84 | // TODO: This can be removed after we enable history tracking with |
| 85 | // SymSymExpr. |
| 86 | unsigned Count = currBldrCtx->blockCount(); |
| 87 | RightV = conjureOffsetSymbolOnLocation( |
| 88 | Symbol: RightV, Other: LeftV, Elem: getCFGElementRef(), Ty: RHS->getType(), svalBuilder, |
| 89 | Count, LCtx); |
| 90 | LeftV = conjureOffsetSymbolOnLocation(Symbol: LeftV, Other: RightV, Elem: getCFGElementRef(), |
| 91 | Ty: LHS->getType(), svalBuilder, |
| 92 | Count, LCtx); |
| 93 | } |
| 94 | |
| 95 | // Although we don't yet model pointers-to-members, we do need to make |
| 96 | // sure that the members of temporaries have a valid 'this' pointer for |
| 97 | // other checks. |
| 98 | if (B->getOpcode() == BO_PtrMemD) |
| 99 | state = createTemporaryRegionIfNeeded(State: state, LC: LCtx, InitWithAdjustments: LHS); |
| 100 | |
| 101 | // Process non-assignments except commas or short-circuited |
| 102 | // logical expressions (LAnd and LOr). |
| 103 | SVal Result = evalBinOp(ST: state, Op, LHS: LeftV, RHS: RightV, T: B->getType()); |
| 104 | if (!Result.isUnknown()) { |
| 105 | state = state->BindExpr(S: B, LCtx, V: Result); |
| 106 | } else { |
| 107 | // If we cannot evaluate the operation escape the operands. |
| 108 | state = escapeValues(State: state, Vs: LeftV, K: PSK_EscapeOther); |
| 109 | state = escapeValues(State: state, Vs: RightV, K: PSK_EscapeOther); |
| 110 | } |
| 111 | |
| 112 | Bldr.generateNode(S: B, Pred: *it, St: state); |
| 113 | continue; |
| 114 | } |
| 115 | |
| 116 | assert (B->isCompoundAssignmentOp()); |
| 117 | |
| 118 | switch (Op) { |
| 119 | default: |
| 120 | llvm_unreachable("Invalid opcode for compound assignment."); |
| 121 | case BO_MulAssign: Op = BO_Mul; break; |
| 122 | case BO_DivAssign: Op = BO_Div; break; |
| 123 | case BO_RemAssign: Op = BO_Rem; break; |
| 124 | case BO_AddAssign: Op = BO_Add; break; |
| 125 | case BO_SubAssign: Op = BO_Sub; break; |
| 126 | case BO_ShlAssign: Op = BO_Shl; break; |
| 127 | case BO_ShrAssign: Op = BO_Shr; break; |
| 128 | case BO_AndAssign: Op = BO_And; break; |
| 129 | case BO_XorAssign: Op = BO_Xor; break; |
| 130 | case BO_OrAssign: Op = BO_Or; break; |
| 131 | } |
| 132 | |
| 133 | // Perform a load (the LHS). This performs the checks for |
| 134 | // null dereferences, and so on. |
| 135 | ExplodedNodeSet Tmp; |
| 136 | SVal location = LeftV; |
| 137 | evalLoad(Dst&: Tmp, NodeEx: B, BoundExpr: LHS, Pred: *it, St: state, location); |
| 138 | |
| 139 | for (ExplodedNode *N : Tmp) { |
| 140 | state = N->getState(); |
| 141 | const LocationContext *LCtx = N->getLocationContext(); |
| 142 | SVal V = state->getSVal(Ex: LHS, LCtx); |
| 143 | |
| 144 | // Get the computation type. |
| 145 | QualType CTy = |
| 146 | cast<CompoundAssignOperator>(Val: B)->getComputationResultType(); |
| 147 | CTy = getContext().getCanonicalType(T: CTy); |
| 148 | |
| 149 | QualType CLHSTy = |
| 150 | cast<CompoundAssignOperator>(Val: B)->getComputationLHSType(); |
| 151 | CLHSTy = getContext().getCanonicalType(T: CLHSTy); |
| 152 | |
| 153 | QualType LTy = getContext().getCanonicalType(T: LHS->getType()); |
| 154 | |
| 155 | // Promote LHS. |
| 156 | V = svalBuilder.evalCast(V, CastTy: CLHSTy, OriginalTy: LTy); |
| 157 | |
| 158 | // Compute the result of the operation. |
| 159 | SVal Result = svalBuilder.evalCast(V: evalBinOp(ST: state, Op, LHS: V, RHS: RightV, T: CTy), |
| 160 | CastTy: B->getType(), OriginalTy: CTy); |
| 161 | |
| 162 | // EXPERIMENTAL: "Conjured" symbols. |
| 163 | // FIXME: Handle structs. |
| 164 | |
| 165 | SVal LHSVal; |
| 166 | |
| 167 | if (Result.isUnknown()) { |
| 168 | // The symbolic value is actually for the type of the left-hand side |
| 169 | // expression, not the computation type, as this is the value the |
| 170 | // LValue on the LHS will bind to. |
| 171 | LHSVal = svalBuilder.conjureSymbolVal(/*symbolTag=*/nullptr, |
| 172 | elem: getCFGElementRef(), LCtx, type: LTy, |
| 173 | count: currBldrCtx->blockCount()); |
| 174 | // However, we need to convert the symbol to the computation type. |
| 175 | Result = svalBuilder.evalCast(V: LHSVal, CastTy: CTy, OriginalTy: LTy); |
| 176 | } else { |
| 177 | // The left-hand side may bind to a different value then the |
| 178 | // computation type. |
| 179 | LHSVal = svalBuilder.evalCast(V: Result, CastTy: LTy, OriginalTy: CTy); |
| 180 | } |
| 181 | |
| 182 | // In C++, assignment and compound assignment operators return an |
| 183 | // lvalue. |
| 184 | if (B->isGLValue()) |
| 185 | state = state->BindExpr(S: B, LCtx, V: location); |
| 186 | else |
| 187 | state = state->BindExpr(S: B, LCtx, V: Result); |
| 188 | |
| 189 | evalStore(Dst&: Tmp2, AssignE: B, StoreE: LHS, Pred: N, St: state, TargetLV: location, Val: LHSVal); |
| 190 | } |
| 191 | } |
| 192 | |
| 193 | // FIXME: postvisits eventually go in ::Visit() |
| 194 | getCheckerManager().runCheckersForPostStmt(Dst, Src: Tmp2, S: B, Eng&: *this); |
| 195 | } |
| 196 | |
| 197 | void ExprEngine::VisitBlockExpr(const BlockExpr *BE, ExplodedNode *Pred, |
| 198 | ExplodedNodeSet &Dst) { |
| 199 | |
| 200 | CanQualType T = getContext().getCanonicalType(T: BE->getType()); |
| 201 | |
| 202 | const BlockDecl *BD = BE->getBlockDecl(); |
| 203 | // Get the value of the block itself. |
| 204 | SVal V = svalBuilder.getBlockPointer(block: BD, locTy: T, |
| 205 | locContext: Pred->getLocationContext(), |
| 206 | blockCount: currBldrCtx->blockCount()); |
| 207 | |
| 208 | ProgramStateRef State = Pred->getState(); |
| 209 | |
| 210 | // If we created a new MemRegion for the block, we should explicitly bind |
| 211 | // the captured variables. |
| 212 | if (const BlockDataRegion *BDR = |
| 213 | dyn_cast_or_null<BlockDataRegion>(Val: V.getAsRegion())) { |
| 214 | |
| 215 | auto ReferencedVars = BDR->referenced_vars(); |
| 216 | auto CI = BD->capture_begin(); |
| 217 | auto CE = BD->capture_end(); |
| 218 | for (auto Var : ReferencedVars) { |
| 219 | const VarRegion *capturedR = Var.getCapturedRegion(); |
| 220 | const TypedValueRegion *originalR = Var.getOriginalRegion(); |
| 221 | |
| 222 | // If the capture had a copy expression, use the result of evaluating |
| 223 | // that expression, otherwise use the original value. |
| 224 | // We rely on the invariant that the block declaration's capture variables |
| 225 | // are a prefix of the BlockDataRegion's referenced vars (which may include |
| 226 | // referenced globals, etc.) to enable fast lookup of the capture for a |
| 227 | // given referenced var. |
| 228 | const Expr *copyExpr = nullptr; |
| 229 | if (CI != CE) { |
| 230 | assert(CI->getVariable() == capturedR->getDecl()); |
| 231 | copyExpr = CI->getCopyExpr(); |
| 232 | CI++; |
| 233 | } |
| 234 | |
| 235 | if (capturedR != originalR) { |
| 236 | SVal originalV; |
| 237 | const LocationContext *LCtx = Pred->getLocationContext(); |
| 238 | if (copyExpr) { |
| 239 | originalV = State->getSVal(Ex: copyExpr, LCtx); |
| 240 | } else { |
| 241 | originalV = State->getSVal(LV: loc::MemRegionVal(originalR)); |
| 242 | } |
| 243 | State = State->bindLoc(location: loc::MemRegionVal(capturedR), V: originalV, LCtx); |
| 244 | } |
| 245 | } |
| 246 | } |
| 247 | |
| 248 | ExplodedNodeSet Tmp; |
| 249 | StmtNodeBuilder Bldr(Pred, Tmp, *currBldrCtx); |
| 250 | Bldr.generateNode(S: BE, Pred, |
| 251 | St: State->BindExpr(S: BE, LCtx: Pred->getLocationContext(), V), |
| 252 | tag: nullptr, K: ProgramPoint::PostLValueKind); |
| 253 | |
| 254 | // FIXME: Move all post/pre visits to ::Visit(). |
| 255 | getCheckerManager().runCheckersForPostStmt(Dst, Src: Tmp, S: BE, Eng&: *this); |
| 256 | } |
| 257 | |
| 258 | ProgramStateRef ExprEngine::handleLValueBitCast( |
| 259 | ProgramStateRef state, const Expr* Ex, const LocationContext* LCtx, |
| 260 | QualType T, QualType ExTy, const CastExpr* CastE, StmtNodeBuilder& Bldr, |
| 261 | ExplodedNode* Pred) { |
| 262 | if (T->isLValueReferenceType()) { |
| 263 | assert(!CastE->getType()->isLValueReferenceType()); |
| 264 | ExTy = getContext().getLValueReferenceType(T: ExTy); |
| 265 | } else if (T->isRValueReferenceType()) { |
| 266 | assert(!CastE->getType()->isRValueReferenceType()); |
| 267 | ExTy = getContext().getRValueReferenceType(T: ExTy); |
| 268 | } |
| 269 | // Delegate to SValBuilder to process. |
| 270 | SVal OrigV = state->getSVal(Ex, LCtx); |
| 271 | SVal SimplifiedOrigV = svalBuilder.simplifySVal(State: state, Val: OrigV); |
| 272 | SVal V = svalBuilder.evalCast(V: SimplifiedOrigV, CastTy: T, OriginalTy: ExTy); |
| 273 | // Negate the result if we're treating the boolean as a signed i1 |
| 274 | if (CastE->getCastKind() == CK_BooleanToSignedIntegral && V.isValid()) |
| 275 | V = svalBuilder.evalMinus(val: V.castAs<NonLoc>()); |
| 276 | |
| 277 | state = state->BindExpr(S: CastE, LCtx, V); |
| 278 | if (V.isUnknown() && !OrigV.isUnknown()) { |
| 279 | state = escapeValues(State: state, Vs: OrigV, K: PSK_EscapeOther); |
| 280 | } |
| 281 | Bldr.generateNode(S: CastE, Pred, St: state); |
| 282 | |
| 283 | return state; |
| 284 | } |
| 285 | |
| 286 | void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex, |
| 287 | ExplodedNode *Pred, ExplodedNodeSet &Dst) { |
| 288 | |
| 289 | ExplodedNodeSet DstPreStmt; |
| 290 | getCheckerManager().runCheckersForPreStmt(Dst&: DstPreStmt, Src: Pred, S: CastE, Eng&: *this); |
| 291 | |
| 292 | if (CastE->getCastKind() == CK_LValueToRValue) { |
| 293 | for (ExplodedNode *Node : DstPreStmt) { |
| 294 | ProgramStateRef State = Node->getState(); |
| 295 | const LocationContext *LCtx = Node->getLocationContext(); |
| 296 | evalLoad(Dst, NodeEx: CastE, BoundExpr: CastE, Pred: Node, St: State, location: State->getSVal(Ex, LCtx)); |
| 297 | } |
| 298 | return; |
| 299 | } |
| 300 | if (CastE->getCastKind() == CK_LValueToRValueBitCast) { |
| 301 | // Handle `__builtin_bit_cast`: |
| 302 | ExplodedNodeSet DstEvalLoc; |
| 303 | |
| 304 | // Simulate the lvalue-to-rvalue conversion on `Ex`: |
| 305 | for (ExplodedNode *Node : DstPreStmt) { |
| 306 | ProgramStateRef State = Node->getState(); |
| 307 | const LocationContext *LCtx = Node->getLocationContext(); |
| 308 | evalLocation(Dst&: DstEvalLoc, NodeEx: CastE, BoundEx: Ex, Pred: Node, St: State, location: State->getSVal(Ex, LCtx), |
| 309 | isLoad: true); |
| 310 | } |
| 311 | // Simulate the operation that actually casts the original value to a new |
| 312 | // value of the destination type : |
| 313 | StmtNodeBuilder Bldr(DstEvalLoc, Dst, *currBldrCtx); |
| 314 | |
| 315 | for (ExplodedNode *Node : DstEvalLoc) { |
| 316 | ProgramStateRef State = Node->getState(); |
| 317 | const LocationContext *LCtx = Node->getLocationContext(); |
| 318 | // Although `Ex` is an lvalue, it could have `Loc::ConcreteInt` kind |
| 319 | // (e.g., `(int *)123456`). In such cases, there is no MemRegion |
| 320 | // available and we can't get the value to be casted. |
| 321 | SVal CastedV = UnknownVal(); |
| 322 | |
| 323 | if (const MemRegion *MR = State->getSVal(Ex, LCtx).getAsRegion()) { |
| 324 | SVal OrigV = State->getSVal(R: MR); |
| 325 | CastedV = svalBuilder.evalCast(V: svalBuilder.simplifySVal(State, Val: OrigV), |
| 326 | CastTy: CastE->getType(), OriginalTy: Ex->getType()); |
| 327 | } |
| 328 | State = State->BindExpr(S: CastE, LCtx, V: CastedV); |
| 329 | Bldr.generateNode(S: CastE, Pred: Node, St: State); |
| 330 | } |
| 331 | return; |
| 332 | } |
| 333 | |
| 334 | // All other casts. |
| 335 | QualType T = CastE->getType(); |
| 336 | QualType ExTy = Ex->getType(); |
| 337 | |
| 338 | if (const ExplicitCastExpr *ExCast=dyn_cast_or_null<ExplicitCastExpr>(Val: CastE)) |
| 339 | T = ExCast->getTypeAsWritten(); |
| 340 | |
| 341 | StmtNodeBuilder Bldr(DstPreStmt, Dst, *currBldrCtx); |
| 342 | for (ExplodedNode *Pred : DstPreStmt) { |
| 343 | ProgramStateRef state = Pred->getState(); |
| 344 | const LocationContext *LCtx = Pred->getLocationContext(); |
| 345 | |
| 346 | switch (CastE->getCastKind()) { |
| 347 | case CK_LValueToRValue: |
| 348 | case CK_LValueToRValueBitCast: |
| 349 | llvm_unreachable("LValueToRValue casts handled earlier."); |
| 350 | case CK_ToVoid: |
| 351 | continue; |
| 352 | // The analyzer doesn't do anything special with these casts, |
| 353 | // since it understands retain/release semantics already. |
| 354 | case CK_ARCProduceObject: |
| 355 | case CK_ARCConsumeObject: |
| 356 | case CK_ARCReclaimReturnedObject: |
| 357 | case CK_ARCExtendBlockObject: // Fall-through. |
| 358 | case CK_CopyAndAutoreleaseBlockObject: |
| 359 | // The analyser can ignore atomic casts for now, although some future |
| 360 | // checkers may want to make certain that you're not modifying the same |
| 361 | // value through atomic and nonatomic pointers. |
| 362 | case CK_AtomicToNonAtomic: |
| 363 | case CK_NonAtomicToAtomic: |
| 364 | // True no-ops. |
| 365 | case CK_NoOp: |
| 366 | case CK_ConstructorConversion: |
| 367 | case CK_UserDefinedConversion: |
| 368 | case CK_FunctionToPointerDecay: |
| 369 | case CK_BuiltinFnToFnPtr: |
| 370 | case CK_HLSLArrayRValue: { |
| 371 | // Copy the SVal of Ex to CastE. |
| 372 | ProgramStateRef state = Pred->getState(); |
| 373 | const LocationContext *LCtx = Pred->getLocationContext(); |
| 374 | SVal V = state->getSVal(Ex, LCtx); |
| 375 | state = state->BindExpr(S: CastE, LCtx, V); |
| 376 | Bldr.generateNode(S: CastE, Pred, St: state); |
| 377 | continue; |
| 378 | } |
| 379 | case CK_MemberPointerToBoolean: |
| 380 | case CK_PointerToBoolean: { |
| 381 | SVal V = state->getSVal(Ex, LCtx); |
| 382 | auto PTMSV = V.getAs<nonloc::PointerToMember>(); |
| 383 | if (PTMSV) |
| 384 | V = svalBuilder.makeTruthVal(b: !PTMSV->isNullMemberPointer(), type: ExTy); |
| 385 | if (V.isUndef() || PTMSV) { |
| 386 | state = state->BindExpr(S: CastE, LCtx, V); |
| 387 | Bldr.generateNode(S: CastE, Pred, St: state); |
| 388 | continue; |
| 389 | } |
| 390 | // Explicitly proceed with default handler for this case cascade. |
| 391 | state = |
| 392 | handleLValueBitCast(state, Ex, LCtx, T, ExTy, CastE, Bldr, Pred); |
| 393 | continue; |
| 394 | } |
| 395 | case CK_Dependent: |
| 396 | case CK_ArrayToPointerDecay: |
| 397 | case CK_BitCast: |
| 398 | case CK_AddressSpaceConversion: |
| 399 | case CK_BooleanToSignedIntegral: |
| 400 | case CK_IntegralToPointer: |
| 401 | case CK_PointerToIntegral: { |
| 402 | SVal V = state->getSVal(Ex, LCtx); |
| 403 | if (isa<nonloc::PointerToMember>(Val: V)) { |
| 404 | state = state->BindExpr(S: CastE, LCtx, V: UnknownVal()); |
| 405 | Bldr.generateNode(S: CastE, Pred, St: state); |
| 406 | continue; |
| 407 | } |
| 408 | // Explicitly proceed with default handler for this case cascade. |
| 409 | state = |
| 410 | handleLValueBitCast(state, Ex, LCtx, T, ExTy, CastE, Bldr, Pred); |
| 411 | continue; |
| 412 | } |
| 413 | case CK_IntegralToBoolean: |
| 414 | case CK_IntegralToFloating: |
| 415 | case CK_FloatingToIntegral: |
| 416 | case CK_FloatingToBoolean: |
| 417 | case CK_FloatingCast: |
| 418 | case CK_FloatingRealToComplex: |
| 419 | case CK_FloatingComplexToReal: |
| 420 | case CK_FloatingComplexToBoolean: |
| 421 | case CK_FloatingComplexCast: |
| 422 | case CK_FloatingComplexToIntegralComplex: |
| 423 | case CK_IntegralRealToComplex: |
| 424 | case CK_IntegralComplexToReal: |
| 425 | case CK_IntegralComplexToBoolean: |
| 426 | case CK_IntegralComplexCast: |
| 427 | case CK_IntegralComplexToFloatingComplex: |
| 428 | case CK_CPointerToObjCPointerCast: |
| 429 | case CK_BlockPointerToObjCPointerCast: |
| 430 | case CK_AnyPointerToBlockPointerCast: |
| 431 | case CK_ObjCObjectLValueCast: |
| 432 | case CK_ZeroToOCLOpaqueType: |
| 433 | case CK_IntToOCLSampler: |
| 434 | case CK_LValueBitCast: |
| 435 | case CK_FloatingToFixedPoint: |
| 436 | case CK_FixedPointToFloating: |
| 437 | case CK_FixedPointCast: |
| 438 | case CK_FixedPointToBoolean: |
| 439 | case CK_FixedPointToIntegral: |
| 440 | case CK_IntegralToFixedPoint: { |
| 441 | state = |
| 442 | handleLValueBitCast(state, Ex, LCtx, T, ExTy, CastE, Bldr, Pred); |
| 443 | continue; |
| 444 | } |
| 445 | case CK_IntegralCast: { |
| 446 | // Delegate to SValBuilder to process. |
| 447 | SVal V = state->getSVal(Ex, LCtx); |
| 448 | if (AMgr.options.ShouldSupportSymbolicIntegerCasts) |
| 449 | V = svalBuilder.evalCast(V, CastTy: T, OriginalTy: ExTy); |
| 450 | else |
| 451 | V = svalBuilder.evalIntegralCast(state, val: V, castTy: T, originalType: ExTy); |
| 452 | state = state->BindExpr(S: CastE, LCtx, V); |
| 453 | Bldr.generateNode(S: CastE, Pred, St: state); |
| 454 | continue; |
| 455 | } |
| 456 | case CK_DerivedToBase: |
| 457 | case CK_UncheckedDerivedToBase: { |
| 458 | // For DerivedToBase cast, delegate to the store manager. |
| 459 | SVal val = state->getSVal(Ex, LCtx); |
| 460 | val = getStoreManager().evalDerivedToBase(Derived: val, Cast: CastE); |
| 461 | state = state->BindExpr(S: CastE, LCtx, V: val); |
| 462 | Bldr.generateNode(S: CastE, Pred, St: state); |
| 463 | continue; |
| 464 | } |
| 465 | // Handle C++ dyn_cast. |
| 466 | case CK_Dynamic: { |
| 467 | SVal val = state->getSVal(Ex, LCtx); |
| 468 | |
| 469 | // Compute the type of the result. |
| 470 | QualType resultType = CastE->getType(); |
| 471 | if (CastE->isGLValue()) |
| 472 | resultType = getContext().getPointerType(T: resultType); |
| 473 | |
| 474 | bool Failed = true; |
| 475 | |
| 476 | // Check if the value being cast does not evaluates to 0. |
| 477 | if (!val.isZeroConstant()) |
| 478 | if (std::optional<SVal> V = |
| 479 | StateMgr.getStoreManager().evalBaseToDerived(Base: val, DerivedPtrType: T)) { |
| 480 | val = *V; |
| 481 | Failed = false; |
| 482 | } |
| 483 | |
| 484 | if (Failed) { |
| 485 | if (T->isReferenceType()) { |
| 486 | // A bad_cast exception is thrown if input value is a reference. |
| 487 | // Currently, we model this, by generating a sink. |
| 488 | Bldr.generateSink(S: CastE, Pred, St: state); |
| 489 | continue; |
| 490 | } else { |
| 491 | // If the cast fails on a pointer, bind to 0. |
| 492 | state = state->BindExpr(S: CastE, LCtx, |
| 493 | V: svalBuilder.makeNullWithType(type: resultType)); |
| 494 | } |
| 495 | } else { |
| 496 | // If we don't know if the cast succeeded, conjure a new symbol. |
| 497 | if (val.isUnknown()) { |
| 498 | DefinedOrUnknownSVal NewSym = svalBuilder.conjureSymbolVal( |
| 499 | /*symbolTag=*/nullptr, elem: getCFGElementRef(), LCtx, type: resultType, |
| 500 | count: currBldrCtx->blockCount()); |
| 501 | state = state->BindExpr(S: CastE, LCtx, V: NewSym); |
| 502 | } else |
| 503 | // Else, bind to the derived region value. |
| 504 | state = state->BindExpr(S: CastE, LCtx, V: val); |
| 505 | } |
| 506 | Bldr.generateNode(S: CastE, Pred, St: state); |
| 507 | continue; |
| 508 | } |
| 509 | case CK_BaseToDerived: { |
| 510 | SVal val = state->getSVal(Ex, LCtx); |
| 511 | QualType resultType = CastE->getType(); |
| 512 | if (CastE->isGLValue()) |
| 513 | resultType = getContext().getPointerType(T: resultType); |
| 514 | |
| 515 | if (!val.isConstant()) { |
| 516 | std::optional<SVal> V = getStoreManager().evalBaseToDerived(Base: val, DerivedPtrType: T); |
| 517 | val = V ? *V : UnknownVal(); |
| 518 | } |
| 519 | |
| 520 | // Failed to cast or the result is unknown, fall back to conservative. |
| 521 | if (val.isUnknown()) { |
| 522 | val = svalBuilder.conjureSymbolVal( |
| 523 | /*symbolTag=*/nullptr, elem: getCFGElementRef(), LCtx, type: resultType, |
| 524 | count: currBldrCtx->blockCount()); |
| 525 | } |
| 526 | state = state->BindExpr(S: CastE, LCtx, V: val); |
| 527 | Bldr.generateNode(S: CastE, Pred, St: state); |
| 528 | continue; |
| 529 | } |
| 530 | case CK_NullToPointer: { |
| 531 | SVal V = svalBuilder.makeNullWithType(type: CastE->getType()); |
| 532 | state = state->BindExpr(S: CastE, LCtx, V); |
| 533 | Bldr.generateNode(S: CastE, Pred, St: state); |
| 534 | continue; |
| 535 | } |
| 536 | case CK_NullToMemberPointer: { |
| 537 | SVal V = svalBuilder.getMemberPointer(ND: nullptr); |
| 538 | state = state->BindExpr(S: CastE, LCtx, V); |
| 539 | Bldr.generateNode(S: CastE, Pred, St: state); |
| 540 | continue; |
| 541 | } |
| 542 | case CK_DerivedToBaseMemberPointer: |
| 543 | case CK_BaseToDerivedMemberPointer: |
| 544 | case CK_ReinterpretMemberPointer: { |
| 545 | SVal V = state->getSVal(Ex, LCtx); |
| 546 | if (auto PTMSV = V.getAs<nonloc::PointerToMember>()) { |
| 547 | SVal CastedPTMSV = |
| 548 | svalBuilder.makePointerToMember(PTMD: getBasicVals().accumCXXBase( |
| 549 | PathRange: CastE->path(), PTM: *PTMSV, kind: CastE->getCastKind())); |
| 550 | state = state->BindExpr(S: CastE, LCtx, V: CastedPTMSV); |
| 551 | Bldr.generateNode(S: CastE, Pred, St: state); |
| 552 | continue; |
| 553 | } |
| 554 | // Explicitly proceed with default handler for this case cascade. |
| 555 | } |
| 556 | [[fallthrough]]; |
| 557 | // Various C++ casts that are not handled yet. |
| 558 | case CK_ToUnion: |
| 559 | case CK_MatrixCast: |
| 560 | case CK_VectorSplat: |
| 561 | case CK_HLSLElementwiseCast: |
| 562 | case CK_HLSLAggregateSplatCast: |
| 563 | case CK_HLSLMatrixTruncation: |
| 564 | case CK_HLSLVectorTruncation: { |
| 565 | QualType resultType = CastE->getType(); |
| 566 | if (CastE->isGLValue()) |
| 567 | resultType = getContext().getPointerType(T: resultType); |
| 568 | SVal result = svalBuilder.conjureSymbolVal( |
| 569 | /*symbolTag=*/nullptr, elem: getCFGElementRef(), LCtx, type: resultType, |
| 570 | count: currBldrCtx->blockCount()); |
| 571 | state = state->BindExpr(S: CastE, LCtx, V: result); |
| 572 | Bldr.generateNode(S: CastE, Pred, St: state); |
| 573 | continue; |
| 574 | } |
| 575 | } |
| 576 | } |
| 577 | } |
| 578 | |
| 579 | void ExprEngine::VisitCompoundLiteralExpr(const CompoundLiteralExpr *CL, |
| 580 | ExplodedNode *Pred, |
| 581 | ExplodedNodeSet &Dst) { |
| 582 | StmtNodeBuilder B(Pred, Dst, *currBldrCtx); |
| 583 | |
| 584 | ProgramStateRef State = Pred->getState(); |
| 585 | const LocationContext *LCtx = Pred->getLocationContext(); |
| 586 | |
| 587 | const Expr *Init = CL->getInitializer(); |
| 588 | SVal V = State->getSVal(Ex: CL->getInitializer(), LCtx); |
| 589 | |
| 590 | if (isa<CXXConstructExpr, CXXStdInitializerListExpr>(Val: Init)) { |
| 591 | // No work needed. Just pass the value up to this expression. |
| 592 | } else { |
| 593 | assert(isa<InitListExpr>(Init)); |
| 594 | Loc CLLoc = State->getLValue(literal: CL, LC: LCtx); |
| 595 | State = State->bindLoc(location: CLLoc, V, LCtx); |
| 596 | |
| 597 | if (CL->isGLValue()) |
| 598 | V = CLLoc; |
| 599 | } |
| 600 | |
| 601 | B.generateNode(S: CL, Pred, St: State->BindExpr(S: CL, LCtx, V)); |
| 602 | } |
| 603 | |
| 604 | void ExprEngine::VisitDeclStmt(const DeclStmt *DS, ExplodedNode *Pred, |
| 605 | ExplodedNodeSet &Dst) { |
| 606 | if (isa<TypedefNameDecl>(Val: *DS->decl_begin())) { |
| 607 | // C99 6.7.7 "Any array size expressions associated with variable length |
| 608 | // array declarators are evaluated each time the declaration of the typedef |
| 609 | // name is reached in the order of execution." |
| 610 | // The checkers should know about typedef to be able to handle VLA size |
| 611 | // expressions. |
| 612 | ExplodedNodeSet DstPre; |
| 613 | getCheckerManager().runCheckersForPreStmt(Dst&: DstPre, Src: Pred, S: DS, Eng&: *this); |
| 614 | getCheckerManager().runCheckersForPostStmt(Dst, Src: DstPre, S: DS, Eng&: *this); |
| 615 | return; |
| 616 | } |
| 617 | |
| 618 | // Assumption: The CFG has one DeclStmt per Decl. |
| 619 | const VarDecl *VD = dyn_cast_or_null<VarDecl>(Val: *DS->decl_begin()); |
| 620 | |
| 621 | if (!VD) { |
| 622 | //TODO:AZ: remove explicit insertion after refactoring is done. |
| 623 | Dst.insert(S: Pred); |
| 624 | return; |
| 625 | } |
| 626 | |
| 627 | // FIXME: all pre/post visits should eventually be handled by ::Visit(). |
| 628 | ExplodedNodeSet dstPreVisit; |
| 629 | getCheckerManager().runCheckersForPreStmt(Dst&: dstPreVisit, Src: Pred, S: DS, Eng&: *this); |
| 630 | |
| 631 | ExplodedNodeSet dstEvaluated; |
| 632 | StmtNodeBuilder B(dstPreVisit, dstEvaluated, *currBldrCtx); |
| 633 | for (ExplodedNodeSet::iterator I = dstPreVisit.begin(), E = dstPreVisit.end(); |
| 634 | I!=E; ++I) { |
| 635 | ExplodedNode *N = *I; |
| 636 | ProgramStateRef state = N->getState(); |
| 637 | const LocationContext *LC = N->getLocationContext(); |
| 638 | |
| 639 | // Decls without InitExpr are not initialized explicitly. |
| 640 | if (const Expr *InitEx = VD->getInit()) { |
| 641 | |
| 642 | // Note in the state that the initialization has occurred. |
| 643 | ExplodedNode *UpdatedN = N; |
| 644 | SVal InitVal = state->getSVal(Ex: InitEx, LCtx: LC); |
| 645 | |
| 646 | assert(DS->isSingleDecl()); |
| 647 | if (getObjectUnderConstruction(State: state, Item: DS, LC)) { |
| 648 | state = finishObjectConstruction(State: state, Item: DS, LC); |
| 649 | // We constructed the object directly in the variable. |
| 650 | // No need to bind anything. |
| 651 | B.generateNode(S: DS, Pred: UpdatedN, St: state); |
| 652 | } else { |
| 653 | // Recover some path-sensitivity if a scalar value evaluated to |
| 654 | // UnknownVal. |
| 655 | if (InitVal.isUnknown()) { |
| 656 | QualType Ty = InitEx->getType(); |
| 657 | if (InitEx->isGLValue()) { |
| 658 | Ty = getContext().getPointerType(T: Ty); |
| 659 | } |
| 660 | |
| 661 | InitVal = svalBuilder.conjureSymbolVal( |
| 662 | /*symbolTag=*/nullptr, elem: getCFGElementRef(), LCtx: LC, type: Ty, |
| 663 | count: currBldrCtx->blockCount()); |
| 664 | } |
| 665 | |
| 666 | |
| 667 | B.takeNodes(N: UpdatedN); |
| 668 | ExplodedNodeSet Dst2; |
| 669 | evalBind(Dst&: Dst2, StoreE: DS, Pred: UpdatedN, location: state->getLValue(VD, LC), Val: InitVal, AtDeclInit: true); |
| 670 | B.addNodes(S: Dst2); |
| 671 | } |
| 672 | } |
| 673 | else { |
| 674 | B.generateNode(S: DS, Pred: N, St: state); |
| 675 | } |
| 676 | } |
| 677 | |
| 678 | getCheckerManager().runCheckersForPostStmt(Dst, Src: B.getResults(), S: DS, Eng&: *this); |
| 679 | } |
| 680 | |
| 681 | void ExprEngine::VisitLogicalExpr(const BinaryOperator* B, ExplodedNode *Pred, |
| 682 | ExplodedNodeSet &Dst) { |
| 683 | // This method acts upon CFG elements for logical operators && and || |
| 684 | // and attaches the value (true or false) to them as expressions. |
| 685 | // It doesn't produce any state splits. |
| 686 | // If we made it that far, we're past the point when we modeled the short |
| 687 | // circuit. It means that we should have precise knowledge about whether |
| 688 | // we've short-circuited. If we did, we already know the value we need to |
| 689 | // bind. If we didn't, the value of the RHS (casted to the boolean type) |
| 690 | // is the answer. |
| 691 | // Currently this method tries to figure out whether we've short-circuited |
| 692 | // by looking at the ExplodedGraph. This method is imperfect because there |
| 693 | // could inevitably have been merges that would have resulted in multiple |
| 694 | // potential path traversal histories. We bail out when we fail. |
| 695 | // Due to this ambiguity, a more reliable solution would have been to |
| 696 | // track the short circuit operation history path-sensitively until |
| 697 | // we evaluate the respective logical operator. |
| 698 | assert(B->getOpcode() == BO_LAnd || |
| 699 | B->getOpcode() == BO_LOr); |
| 700 | |
| 701 | StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); |
| 702 | ProgramStateRef state = Pred->getState(); |
| 703 | |
| 704 | if (B->getType()->isVectorType()) { |
| 705 | // FIXME: We do not model vector arithmetic yet. When adding support for |
| 706 | // that, note that the CFG-based reasoning below does not apply, because |
| 707 | // logical operators on vectors are not short-circuit. Currently they are |
| 708 | // modeled as short-circuit in Clang CFG but this is incorrect. |
| 709 | // Do not set the value for the expression. It'd be UnknownVal by default. |
| 710 | Bldr.generateNode(S: B, Pred, St: state); |
| 711 | return; |
| 712 | } |
| 713 | |
| 714 | ExplodedNode *N = Pred; |
| 715 | while (!N->getLocation().getAs<BlockEdge>()) { |
| 716 | ProgramPoint P = N->getLocation(); |
| 717 | assert(P.getAs<PreStmt>() || P.getAs<PreStmtPurgeDeadSymbols>() || |
| 718 | P.getAs<BlockEntrance>()); |
| 719 | (void) P; |
| 720 | if (N->pred_size() != 1) { |
| 721 | // We failed to track back where we came from. |
| 722 | Bldr.generateNode(S: B, Pred, St: state); |
| 723 | return; |
| 724 | } |
| 725 | N = *N->pred_begin(); |
| 726 | } |
| 727 | |
| 728 | if (N->pred_size() != 1) { |
| 729 | // We failed to track back where we came from. |
| 730 | Bldr.generateNode(S: B, Pred, St: state); |
| 731 | return; |
| 732 | } |
| 733 | |
| 734 | BlockEdge BE = N->getLocation().castAs<BlockEdge>(); |
| 735 | SVal X; |
| 736 | |
| 737 | // Determine the value of the expression by introspecting how we |
| 738 | // got this location in the CFG. This requires looking at the previous |
| 739 | // block we were in and what kind of control-flow transfer was involved. |
| 740 | const CFGBlock *SrcBlock = BE.getSrc(); |
| 741 | // The only terminator (if there is one) that makes sense is a logical op. |
| 742 | CFGTerminator T = SrcBlock->getTerminator(); |
| 743 | if (const BinaryOperator *Term = cast_or_null<BinaryOperator>(Val: T.getStmt())) { |
| 744 | (void) Term; |
| 745 | assert(Term->isLogicalOp()); |
| 746 | assert(SrcBlock->succ_size() == 2); |
| 747 | // Did we take the true or false branch? |
| 748 | unsigned constant = (*SrcBlock->succ_begin() == BE.getDst()) ? 1 : 0; |
| 749 | X = svalBuilder.makeIntVal(integer: constant, type: B->getType()); |
| 750 | } |
| 751 | else { |
| 752 | // If there is no terminator, by construction the last statement |
| 753 | // in SrcBlock is the value of the enclosing expression. |
| 754 | // However, we still need to constrain that value to be 0 or 1. |
| 755 | assert(!SrcBlock->empty()); |
| 756 | CFGStmt Elem = SrcBlock->rbegin()->castAs<CFGStmt>(); |
| 757 | const Expr *RHS = cast<Expr>(Val: Elem.getStmt()); |
| 758 | SVal RHSVal = N->getState()->getSVal(Ex: RHS, LCtx: Pred->getLocationContext()); |
| 759 | |
| 760 | if (RHSVal.isUndef()) { |
| 761 | X = RHSVal; |
| 762 | } else { |
| 763 | // We evaluate "RHSVal != 0" expression which result in 0 if the value is |
| 764 | // known to be false, 1 if the value is known to be true and a new symbol |
| 765 | // when the assumption is unknown. |
| 766 | nonloc::ConcreteInt Zero(getBasicVals().getValue(X: 0, T: B->getType())); |
| 767 | X = evalBinOp(ST: N->getState(), Op: BO_NE, |
| 768 | LHS: svalBuilder.evalCast(V: RHSVal, CastTy: B->getType(), OriginalTy: RHS->getType()), |
| 769 | RHS: Zero, T: B->getType()); |
| 770 | } |
| 771 | } |
| 772 | Bldr.generateNode(S: B, Pred, St: state->BindExpr(S: B, LCtx: Pred->getLocationContext(), V: X)); |
| 773 | } |
| 774 | |
| 775 | void ExprEngine::VisitGuardedExpr(const Expr *Ex, |
| 776 | const Expr *L, |
| 777 | const Expr *R, |
| 778 | ExplodedNode *Pred, |
| 779 | ExplodedNodeSet &Dst) { |
| 780 | assert(L && R); |
| 781 | |
| 782 | StmtNodeBuilder B(Pred, Dst, *currBldrCtx); |
| 783 | ProgramStateRef state = Pred->getState(); |
| 784 | const LocationContext *LCtx = Pred->getLocationContext(); |
| 785 | const CFGBlock *SrcBlock = nullptr; |
| 786 | |
| 787 | // Find the predecessor block. |
| 788 | ProgramStateRef SrcState = state; |
| 789 | for (const ExplodedNode *N = Pred ; N ; N = *N->pred_begin()) { |
| 790 | auto Edge = N->getLocationAs<BlockEdge>(); |
| 791 | if (!Edge.has_value()) { |
| 792 | // If the state N has multiple predecessors P, it means that successors |
| 793 | // of P are all equivalent. |
| 794 | // In turn, that means that all nodes at P are equivalent in terms |
| 795 | // of observable behavior at N, and we can follow any of them. |
| 796 | // FIXME: a more robust solution which does not walk up the tree. |
| 797 | continue; |
| 798 | } |
| 799 | SrcBlock = Edge->getSrc(); |
| 800 | SrcState = N->getState(); |
| 801 | break; |
| 802 | } |
| 803 | |
| 804 | assert(SrcBlock && "missing function entry"); |
| 805 | |
| 806 | // Find the last expression in the predecessor block. That is the |
| 807 | // expression that is used for the value of the ternary expression. |
| 808 | bool hasValue = false; |
| 809 | SVal V; |
| 810 | |
| 811 | for (CFGElement CE : llvm::reverse(C: *SrcBlock)) { |
| 812 | if (std::optional<CFGStmt> CS = CE.getAs<CFGStmt>()) { |
| 813 | const Expr *ValEx = cast<Expr>(Val: CS->getStmt()); |
| 814 | ValEx = ValEx->IgnoreParens(); |
| 815 | |
| 816 | // For GNU extension '?:' operator, the left hand side will be an |
| 817 | // OpaqueValueExpr, so get the underlying expression. |
| 818 | if (const OpaqueValueExpr *OpaqueEx = dyn_cast<OpaqueValueExpr>(Val: L)) |
| 819 | L = OpaqueEx->getSourceExpr(); |
| 820 | |
| 821 | // If the last expression in the predecessor block matches true or false |
| 822 | // subexpression, get its the value. |
| 823 | if (ValEx == L->IgnoreParens() || ValEx == R->IgnoreParens()) { |
| 824 | hasValue = true; |
| 825 | V = SrcState->getSVal(Ex: ValEx, LCtx); |
| 826 | } |
| 827 | break; |
| 828 | } |
| 829 | } |
| 830 | |
| 831 | if (!hasValue) |
| 832 | V = svalBuilder.conjureSymbolVal(symbolTag: nullptr, elem: getCFGElementRef(), LCtx, |
| 833 | count: currBldrCtx->blockCount()); |
| 834 | |
| 835 | // Generate a new node with the binding from the appropriate path. |
| 836 | B.generateNode(S: Ex, Pred, St: state->BindExpr(S: Ex, LCtx, V, Invalidate: true)); |
| 837 | } |
| 838 | |
| 839 | void ExprEngine:: |
| 840 | VisitOffsetOfExpr(const OffsetOfExpr *OOE, |
| 841 | ExplodedNode *Pred, ExplodedNodeSet &Dst) { |
| 842 | StmtNodeBuilder B(Pred, Dst, *currBldrCtx); |
| 843 | Expr::EvalResult Result; |
| 844 | if (OOE->EvaluateAsInt(Result, Ctx: getContext())) { |
| 845 | APSInt IV = Result.Val.getInt(); |
| 846 | assert(IV.getBitWidth() == getContext().getTypeSize(OOE->getType())); |
| 847 | assert(OOE->getType()->castAs<BuiltinType>()->isInteger()); |
| 848 | assert(IV.isSigned() == OOE->getType()->isSignedIntegerType()); |
| 849 | SVal X = svalBuilder.makeIntVal(integer: IV); |
| 850 | B.generateNode(S: OOE, Pred, |
| 851 | St: Pred->getState()->BindExpr(S: OOE, LCtx: Pred->getLocationContext(), |
| 852 | V: X)); |
| 853 | } |
| 854 | // FIXME: Handle the case where __builtin_offsetof is not a constant. |
| 855 | } |
| 856 | |
| 857 | |
| 858 | void ExprEngine:: |
| 859 | VisitUnaryExprOrTypeTraitExpr(const UnaryExprOrTypeTraitExpr *Ex, |
| 860 | ExplodedNode *Pred, |
| 861 | ExplodedNodeSet &Dst) { |
| 862 | // FIXME: Prechecks eventually go in ::Visit(). |
| 863 | ExplodedNodeSet CheckedSet; |
| 864 | getCheckerManager().runCheckersForPreStmt(Dst&: CheckedSet, Src: Pred, S: Ex, Eng&: *this); |
| 865 | |
| 866 | ExplodedNodeSet EvalSet; |
| 867 | StmtNodeBuilder Bldr(CheckedSet, EvalSet, *currBldrCtx); |
| 868 | |
| 869 | QualType T = Ex->getTypeOfArgument(); |
| 870 | |
| 871 | for (ExplodedNode *N : CheckedSet) { |
| 872 | if (Ex->getKind() == UETT_SizeOf || Ex->getKind() == UETT_DataSizeOf || |
| 873 | Ex->getKind() == UETT_CountOf) { |
| 874 | if (!T->isIncompleteType() && !T->isConstantSizeType()) { |
| 875 | assert(T->isVariableArrayType() && "Unknown non-constant-sized type."); |
| 876 | |
| 877 | // FIXME: Add support for VLA type arguments and VLA expressions. |
| 878 | // When that happens, we should probably refactor VLASizeChecker's code. |
| 879 | continue; |
| 880 | } else if (T->getAs<ObjCObjectType>()) { |
| 881 | // Some code tries to take the sizeof an ObjCObjectType, relying that |
| 882 | // the compiler has laid out its representation. Just report Unknown |
| 883 | // for these. |
| 884 | continue; |
| 885 | } |
| 886 | } |
| 887 | |
| 888 | APSInt Value = Ex->EvaluateKnownConstInt(Ctx: getContext()); |
| 889 | CharUnits amt = CharUnits::fromQuantity(Quantity: Value.getZExtValue()); |
| 890 | |
| 891 | ProgramStateRef state = N->getState(); |
| 892 | state = state->BindExpr( |
| 893 | S: Ex, LCtx: N->getLocationContext(), |
| 894 | V: svalBuilder.makeIntVal(integer: amt.getQuantity(), type: Ex->getType())); |
| 895 | Bldr.generateNode(S: Ex, Pred: N, St: state); |
| 896 | } |
| 897 | |
| 898 | getCheckerManager().runCheckersForPostStmt(Dst, Src: EvalSet, S: Ex, Eng&: *this); |
| 899 | } |
| 900 | |
| 901 | void ExprEngine::handleUOExtension(ExplodedNode *N, const UnaryOperator *U, |
| 902 | StmtNodeBuilder &Bldr) { |
| 903 | // FIXME: We can probably just have some magic in Environment::getSVal() |
| 904 | // that propagates values, instead of creating a new node here. |
| 905 | // |
| 906 | // Unary "+" is a no-op, similar to a parentheses. We still have places |
| 907 | // where it may be a block-level expression, so we need to |
| 908 | // generate an extra node that just propagates the value of the |
| 909 | // subexpression. |
| 910 | const Expr *Ex = U->getSubExpr()->IgnoreParens(); |
| 911 | ProgramStateRef state = N->getState(); |
| 912 | const LocationContext *LCtx = N->getLocationContext(); |
| 913 | Bldr.generateNode(S: U, Pred: N, St: state->BindExpr(S: U, LCtx, V: state->getSVal(Ex, LCtx))); |
| 914 | } |
| 915 | |
| 916 | void ExprEngine::VisitUnaryOperator(const UnaryOperator* U, ExplodedNode *Pred, |
| 917 | ExplodedNodeSet &Dst) { |
| 918 | // FIXME: Prechecks eventually go in ::Visit(). |
| 919 | ExplodedNodeSet CheckedSet; |
| 920 | getCheckerManager().runCheckersForPreStmt(Dst&: CheckedSet, Src: Pred, S: U, Eng&: *this); |
| 921 | |
| 922 | ExplodedNodeSet EvalSet; |
| 923 | StmtNodeBuilder Bldr(CheckedSet, EvalSet, *currBldrCtx); |
| 924 | |
| 925 | for (ExplodedNode *N : CheckedSet) { |
| 926 | switch (U->getOpcode()) { |
| 927 | default: { |
| 928 | Bldr.takeNodes(N); |
| 929 | ExplodedNodeSet Tmp; |
| 930 | VisitIncrementDecrementOperator(U, Pred: N, Dst&: Tmp); |
| 931 | Bldr.addNodes(S: Tmp); |
| 932 | break; |
| 933 | } |
| 934 | case UO_Real: { |
| 935 | const Expr *Ex = U->getSubExpr()->IgnoreParens(); |
| 936 | |
| 937 | // FIXME: We don't have complex SValues yet. |
| 938 | if (Ex->getType()->isAnyComplexType()) { |
| 939 | // Just report "Unknown." |
| 940 | break; |
| 941 | } |
| 942 | |
| 943 | // For all other types, UO_Real is an identity operation. |
| 944 | assert (U->getType() == Ex->getType()); |
| 945 | ProgramStateRef state = N->getState(); |
| 946 | const LocationContext *LCtx = N->getLocationContext(); |
| 947 | Bldr.generateNode(S: U, Pred: N, |
| 948 | St: state->BindExpr(S: U, LCtx, V: state->getSVal(Ex, LCtx))); |
| 949 | break; |
| 950 | } |
| 951 | |
| 952 | case UO_Imag: { |
| 953 | const Expr *Ex = U->getSubExpr()->IgnoreParens(); |
| 954 | // FIXME: We don't have complex SValues yet. |
| 955 | if (Ex->getType()->isAnyComplexType()) { |
| 956 | // Just report "Unknown." |
| 957 | break; |
| 958 | } |
| 959 | // For all other types, UO_Imag returns 0. |
| 960 | ProgramStateRef state = N->getState(); |
| 961 | const LocationContext *LCtx = N->getLocationContext(); |
| 962 | SVal X = svalBuilder.makeZeroVal(type: Ex->getType()); |
| 963 | Bldr.generateNode(S: U, Pred: N, St: state->BindExpr(S: U, LCtx, V: X)); |
| 964 | break; |
| 965 | } |
| 966 | |
| 967 | case UO_AddrOf: { |
| 968 | // Process pointer-to-member address operation. |
| 969 | const Expr *Ex = U->getSubExpr()->IgnoreParens(); |
| 970 | if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(Val: Ex)) { |
| 971 | const ValueDecl *VD = DRE->getDecl(); |
| 972 | |
| 973 | if (isa<CXXMethodDecl, FieldDecl, IndirectFieldDecl>(Val: VD)) { |
| 974 | ProgramStateRef State = N->getState(); |
| 975 | const LocationContext *LCtx = N->getLocationContext(); |
| 976 | SVal SV = svalBuilder.getMemberPointer(ND: cast<NamedDecl>(Val: VD)); |
| 977 | Bldr.generateNode(S: U, Pred: N, St: State->BindExpr(S: U, LCtx, V: SV)); |
| 978 | break; |
| 979 | } |
| 980 | } |
| 981 | // Explicitly proceed with default handler for this case cascade. |
| 982 | handleUOExtension(N, U, Bldr); |
| 983 | break; |
| 984 | } |
| 985 | case UO_Plus: |
| 986 | assert(!U->isGLValue()); |
| 987 | [[fallthrough]]; |
| 988 | case UO_Deref: |
| 989 | case UO_Extension: { |
| 990 | handleUOExtension(N, U, Bldr); |
| 991 | break; |
| 992 | } |
| 993 | |
| 994 | case UO_LNot: |
| 995 | case UO_Minus: |
| 996 | case UO_Not: { |
| 997 | assert (!U->isGLValue()); |
| 998 | const Expr *Ex = U->getSubExpr()->IgnoreParens(); |
| 999 | ProgramStateRef state = N->getState(); |
| 1000 | const LocationContext *LCtx = N->getLocationContext(); |
| 1001 | |
| 1002 | // Get the value of the subexpression. |
| 1003 | SVal V = state->getSVal(Ex, LCtx); |
| 1004 | |
| 1005 | if (V.isUnknownOrUndef()) { |
| 1006 | Bldr.generateNode(S: U, Pred: N, St: state->BindExpr(S: U, LCtx, V)); |
| 1007 | break; |
| 1008 | } |
| 1009 | |
| 1010 | switch (U->getOpcode()) { |
| 1011 | default: |
| 1012 | llvm_unreachable("Invalid Opcode."); |
| 1013 | case UO_Not: |
| 1014 | // FIXME: Do we need to handle promotions? |
| 1015 | state = state->BindExpr( |
| 1016 | S: U, LCtx, V: svalBuilder.evalComplement(val: V.castAs<NonLoc>())); |
| 1017 | break; |
| 1018 | case UO_Minus: |
| 1019 | // FIXME: Do we need to handle promotions? |
| 1020 | state = state->BindExpr(S: U, LCtx, |
| 1021 | V: svalBuilder.evalMinus(val: V.castAs<NonLoc>())); |
| 1022 | break; |
| 1023 | case UO_LNot: |
| 1024 | // C99 6.5.3.3: "The expression !E is equivalent to (0==E)." |
| 1025 | // |
| 1026 | // Note: technically we do "E == 0", but this is the same in the |
| 1027 | // transfer functions as "0 == E". |
| 1028 | SVal Result; |
| 1029 | if (std::optional<Loc> LV = V.getAs<Loc>()) { |
| 1030 | Loc X = svalBuilder.makeNullWithType(type: Ex->getType()); |
| 1031 | Result = evalBinOp(ST: state, Op: BO_EQ, LHS: *LV, RHS: X, T: U->getType()); |
| 1032 | } else if (Ex->getType()->isFloatingType()) { |
| 1033 | // FIXME: handle floating point types. |
| 1034 | Result = UnknownVal(); |
| 1035 | } else { |
| 1036 | nonloc::ConcreteInt X(getBasicVals().getValue(X: 0, T: Ex->getType())); |
| 1037 | Result = evalBinOp(ST: state, Op: BO_EQ, LHS: V.castAs<NonLoc>(), RHS: X, T: U->getType()); |
| 1038 | } |
| 1039 | |
| 1040 | state = state->BindExpr(S: U, LCtx, V: Result); |
| 1041 | break; |
| 1042 | } |
| 1043 | Bldr.generateNode(S: U, Pred: N, St: state); |
| 1044 | break; |
| 1045 | } |
| 1046 | } |
| 1047 | } |
| 1048 | |
| 1049 | getCheckerManager().runCheckersForPostStmt(Dst, Src: EvalSet, S: U, Eng&: *this); |
| 1050 | } |
| 1051 | |
| 1052 | void ExprEngine::VisitIncrementDecrementOperator(const UnaryOperator* U, |
| 1053 | ExplodedNode *Pred, |
| 1054 | ExplodedNodeSet &Dst) { |
| 1055 | // Handle ++ and -- (both pre- and post-increment). |
| 1056 | assert (U->isIncrementDecrementOp()); |
| 1057 | const Expr *Ex = U->getSubExpr()->IgnoreParens(); |
| 1058 | |
| 1059 | const LocationContext *LCtx = Pred->getLocationContext(); |
| 1060 | ProgramStateRef state = Pred->getState(); |
| 1061 | SVal loc = state->getSVal(Ex, LCtx); |
| 1062 | |
| 1063 | // Perform a load. |
| 1064 | ExplodedNodeSet Tmp; |
| 1065 | evalLoad(Dst&: Tmp, NodeEx: U, BoundExpr: Ex, Pred, St: state, location: loc); |
| 1066 | |
| 1067 | ExplodedNodeSet Dst2; |
| 1068 | StmtNodeBuilder Bldr(Tmp, Dst2, *currBldrCtx); |
| 1069 | for (ExplodedNode *N : Tmp) { |
| 1070 | state = N->getState(); |
| 1071 | assert(LCtx == N->getLocationContext()); |
| 1072 | SVal V2_untested = state->getSVal(Ex, LCtx); |
| 1073 | |
| 1074 | // Propagate unknown and undefined values. |
| 1075 | if (V2_untested.isUnknownOrUndef()) { |
| 1076 | state = state->BindExpr(S: U, LCtx, V: V2_untested); |
| 1077 | |
| 1078 | // Perform the store, so that the uninitialized value detection happens. |
| 1079 | Bldr.takeNodes(N); |
| 1080 | ExplodedNodeSet Dst3; |
| 1081 | evalStore(Dst&: Dst3, AssignE: U, StoreE: Ex, Pred: N, St: state, TargetLV: loc, Val: V2_untested); |
| 1082 | Bldr.addNodes(S: Dst3); |
| 1083 | |
| 1084 | continue; |
| 1085 | } |
| 1086 | DefinedSVal V2 = V2_untested.castAs<DefinedSVal>(); |
| 1087 | |
| 1088 | // Handle all other values. |
| 1089 | BinaryOperator::Opcode Op = U->isIncrementOp() ? BO_Add : BO_Sub; |
| 1090 | |
| 1091 | // If the UnaryOperator has non-location type, use its type to create the |
| 1092 | // constant value. If the UnaryOperator has location type, create the |
| 1093 | // constant with int type and pointer width. |
| 1094 | SVal RHS; |
| 1095 | SVal Result; |
| 1096 | |
| 1097 | if (U->getType()->isAnyPointerType()) |
| 1098 | RHS = svalBuilder.makeArrayIndex(idx: 1); |
| 1099 | else if (U->getType()->isIntegralOrEnumerationType()) |
| 1100 | RHS = svalBuilder.makeIntVal(integer: 1, type: U->getType()); |
| 1101 | else |
| 1102 | RHS = UnknownVal(); |
| 1103 | |
| 1104 | // The use of an operand of type bool with the ++ operators is deprecated |
| 1105 | // but valid until C++17. And if the operand of the ++ operator is of type |
| 1106 | // bool, it is set to true until C++17. Note that for '_Bool', it is also |
| 1107 | // set to true when it encounters ++ operator. |
| 1108 | if (U->getType()->isBooleanType() && U->isIncrementOp()) |
| 1109 | Result = svalBuilder.makeTruthVal(b: true, type: U->getType()); |
| 1110 | else |
| 1111 | Result = evalBinOp(ST: state, Op, LHS: V2, RHS, T: U->getType()); |
| 1112 | |
| 1113 | // Conjure a new symbol if necessary to recover precision. |
| 1114 | if (Result.isUnknown()){ |
| 1115 | DefinedOrUnknownSVal SymVal = svalBuilder.conjureSymbolVal( |
| 1116 | /*symbolTag=*/nullptr, elem: getCFGElementRef(), LCtx, |
| 1117 | count: currBldrCtx->blockCount()); |
| 1118 | Result = SymVal; |
| 1119 | |
| 1120 | // If the value is a location, ++/-- should always preserve |
| 1121 | // non-nullness. Check if the original value was non-null, and if so |
| 1122 | // propagate that constraint. |
| 1123 | if (Loc::isLocType(T: U->getType())) { |
| 1124 | DefinedOrUnknownSVal Constraint = |
| 1125 | svalBuilder.evalEQ(state, lhs: V2,rhs: svalBuilder.makeZeroVal(type: U->getType())); |
| 1126 | |
| 1127 | if (!state->assume(Cond: Constraint, Assumption: true)) { |
| 1128 | // It isn't feasible for the original value to be null. |
| 1129 | // Propagate this constraint. |
| 1130 | Constraint = svalBuilder.evalEQ(state, lhs: SymVal, |
| 1131 | rhs: svalBuilder.makeZeroVal(type: U->getType())); |
| 1132 | |
| 1133 | state = state->assume(Cond: Constraint, Assumption: false); |
| 1134 | assert(state); |
| 1135 | } |
| 1136 | } |
| 1137 | } |
| 1138 | |
| 1139 | // Since the lvalue-to-rvalue conversion is explicit in the AST, |
| 1140 | // we bind an l-value if the operator is prefix and an lvalue (in C++). |
| 1141 | if (U->isGLValue()) |
| 1142 | state = state->BindExpr(S: U, LCtx, V: loc); |
| 1143 | else |
| 1144 | state = state->BindExpr(S: U, LCtx, V: U->isPostfix() ? V2 : Result); |
| 1145 | |
| 1146 | // Perform the store. |
| 1147 | Bldr.takeNodes(N); |
| 1148 | ExplodedNodeSet Dst3; |
| 1149 | evalStore(Dst&: Dst3, AssignE: U, StoreE: Ex, Pred: N, St: state, TargetLV: loc, Val: Result); |
| 1150 | Bldr.addNodes(S: Dst3); |
| 1151 | } |
| 1152 | Dst.insert(S: Dst2); |
| 1153 | } |
| 1154 |
Generated on 2026-Feb-03 from project llvm_projects revision abdf66d60
Powered by 
Code Browser 2.1
Generator usage only permitted with license.