return StateMgr.Assume(St, Cond, Assumption, isFeasible);
}
+ const GRState* AssumeInBound(const GRState* St, SVal Idx, SVal UpperBound,
+ bool Assumption, bool& isFeasible) {
+ // FIXME: In this function, we will check if Idx can be in/out
+ // [0, UpperBound) according to the assumption. We can extend the
+ // interface to include a LowerBound parameter.
+ isFeasible = true;
+ return St;
+ }
+
NodeTy* MakeNode(NodeSet& Dst, Stmt* S, NodeTy* Pred, const GRState* St,
ProgramPoint::Kind K = ProgramPoint::PostStmtKind) {
assert (Builder && "GRStmtNodeBuilder not present.");
const FieldDecl* D) = 0;
virtual SVal getLValueElement(const GRState* St, SVal Base, SVal Offset) = 0;
-
+
+ virtual SVal getSizeInElements(const GRState* St, const MemRegion* R) {
+ return UnknownVal();
+ }
+
/// ArrayToPointer - Used by GRExprEngine::VistCast to handle implicit
/// conversions between arrays and pointers.
virtual SVal ArrayToPointer(SVal Array) = 0;
else ExplicitNullDeref.insert(NullNode);
}
}
+
+ // Check for out-of-bound array access.
+ if (isFeasibleNotNull && isa<loc::MemRegionVal>(LV)) {
+ const MemRegion* R = cast<loc::MemRegionVal>(LV).getRegion();
+ if (const ElementRegion* ER = dyn_cast<ElementRegion>(R)) {
+ // Get the index of the accessed element.
+ SVal Idx = ER->getIndex();
+ // Get the extent of the array.
+ SVal NumElements = StateMgr.getStoreManager().getSizeInElements(StNotNull,
+ ER->getSuperRegion());
+
+ bool isFeasibleInBound = false;
+ const GRState* StInBound = AssumeInBound(StNotNull, Idx, NumElements,
+ true, isFeasibleInBound);
+
+ bool isFeasibleOutBound = false;
+ const GRState* StOutBound = AssumeInBound(StNotNull, Idx, NumElements,
+ false, isFeasibleOutBound);
+
+ // Report warnings ...
+ }
+ }
return isFeasibleNotNull ? StNotNull : NULL;
}
projects / clang / commitdiff