return StoreMgr->GetSVal(St->getStore(), LV, T);
}
+ SVal GetSVal(const GRState* St, const MemRegion* R) {
+ return StoreMgr->GetRegionSVal(St->getStore(), R);
+ }
+
void SetSVal(GRState& St, Loc LV, SVal V) {
St.St = StoreMgr->SetSVal(St.St, LV, V);
}
return Mgr->GetSVal(St, LV, T);
}
+ SVal GetSVal(const MemRegion* R) {
+ return Mgr->GetSVal(St, R);
+ }
+
GRStateRef SetSVal(Expr* Ex, SVal V, bool isBlkExpr, bool Invalidate) {
return GRStateRef(Mgr->SetSVal(St, Ex, V, isBlkExpr, Invalidate), *Mgr);
}
#ifndef LLVM_CLANG_ANALYSIS_MEMREGION_H
#define LLVM_CLANG_ANALYSIS_MEMREGION_H
+#include "clang/AST/Decl.h"
+#include "clang/AST/DeclObjC.h"
+#include "clang/Analysis/PathSensitive/SymbolManager.h"
#include "llvm/Support/Casting.h"
#include "llvm/ADT/FoldingSet.h"
#include "llvm/Support/Allocator.h"
-#include "clang/AST/Decl.h"
-#include "clang/AST/DeclObjC.h"
#include <string>
namespace llvm { class raw_ostream; }
/// MemRegion - The root abstract class for all memory regions.
class MemRegion : public llvm::FoldingSetNode {
public:
- enum Kind { MemSpaceRegionKind,
+ enum Kind { MemSpaceRegionKind, SymbolicRegionKind,
// Typed regions.
BEG_TYPED_REGIONS,
VarRegionKind, FieldRegionKind, ObjCIvarRegionKind,
public:
// virtual MemExtent getExtent(MemRegionManager& mrm) const = 0;
- virtual const MemRegion* getSuperRegion() const = 0;
virtual void Profile(llvm::FoldingSetNodeID& ID) const = 0;
std::string getString() const;
public:
//RegionExtent getExtent() const { return UndefinedExtent(); }
- const MemRegion* getSuperRegion() const {
- return 0;
- }
-
- //static void ProfileRegion(llvm::FoldingSetNodeID& ID);
void Profile(llvm::FoldingSetNodeID& ID) const;
static bool classof(const MemRegion* R) {
}
};
-/// TypedRegion - An abstract class representing regions that are typed.
-class TypedRegion : public MemRegion {
+/// SubRegion - A region that subsets another larger region. Most regions
+/// are subclasses of SubRegion.
+class SubRegion : public MemRegion {
protected:
- const MemRegion* superRegion;
-
- TypedRegion(const MemRegion* sReg, Kind k)
- : MemRegion(k), superRegion(sReg) {};
+ const MemRegion* superRegion;
+ SubRegion(const MemRegion* sReg, Kind k) : MemRegion(k), superRegion(sReg) {}
public:
- virtual QualType getType() const = 0;
-
- // MemExtent getExtent(MemRegionManager& mrm) const;
const MemRegion* getSuperRegion() const {
return superRegion;
}
+ static bool classof(const MemRegion* R) {
+ return R->getKind() > SymbolicRegionKind;
+ }
+};
+
+/// SymbolicRegion - A special, "non-concrete" region. Unlike other region
+/// clases, SymbolicRegion represents a region that serves as an alias for
+/// either a real region, a NULL pointer, etc. It essentially is used to
+/// map the concept of symbolic values into the domain of regions. Symbolic
+/// regions do not need to be typed.
+class SymbolicRegion : public MemRegion {
+protected:
+ const SymbolID sym;
+
+public:
+ SymbolicRegion(const SymbolID s) : MemRegion(SymbolicRegionKind), sym(s) {}
+
+ SymbolID getSymbol() const {
+ return sym;
+ }
+
+ void Profile(llvm::FoldingSetNodeID& ID) const;
+ static void ProfileRegion(llvm::FoldingSetNodeID& ID, SymbolID sym);
+
+ void print(llvm::raw_ostream& os) const;
+
+ static bool classof(const MemRegion* R) {
+ return R->getKind() == SymbolicRegionKind;
+ }
+};
+
+/// TypedRegion - An abstract class representing regions that are typed.
+class TypedRegion : public SubRegion {
+protected:
+ TypedRegion(const MemRegion* sReg, Kind k) : SubRegion(sReg, k) {}
+
+public:
+ virtual QualType getType() const = 0;
+
static bool classof(const MemRegion* R) {
unsigned k = R->getKind();
return k > BEG_TYPED_REGIONS && k < END_TYPED_REGIONS;
protected:
const Decl* D;
- DeclRegion(const Decl* d, MemRegion* sReg, Kind k)
+ DeclRegion(const Decl* d, const MemRegion* sReg, Kind k)
: TypedRegion(sReg, k), D(d) {}
static void ProfileRegion(llvm::FoldingSetNodeID& ID, const Decl* D,
class VarRegion : public DeclRegion {
friend class MemRegionManager;
- VarRegion(const VarDecl* vd, MemRegion* sReg)
+ VarRegion(const VarDecl* vd, const MemRegion* sReg)
: DeclRegion(vd, sReg, VarRegionKind) {}
static void ProfileRegion(llvm::FoldingSetNodeID& ID, VarDecl* VD,
class FieldRegion : public DeclRegion {
friend class MemRegionManager;
- FieldRegion(const FieldDecl* fd, MemRegion* sReg)
+ FieldRegion(const FieldDecl* fd, const MemRegion* sReg)
: DeclRegion(fd, sReg, FieldRegionKind) {}
static void ProfileRegion(llvm::FoldingSetNodeID& ID, FieldDecl* FD,
friend class MemRegionManager;
- ObjCIvarRegion(const ObjCIvarDecl* ivd, MemRegion* sReg)
+ ObjCIvarRegion(const ObjCIvarDecl* ivd, const MemRegion* sReg)
: DeclRegion(ivd, sReg, ObjCIvarRegionKind) {}
static void ProfileRegion(llvm::FoldingSetNodeID& ID, ObjCIvarDecl* ivd,
/// memory space.
MemSpaceRegion* getUnknownRegion();
+ /// getSymbolicRegion - Retrieve or create a "symbolic" memory region.
+ SymbolicRegion* getSymbolicRegion(const SymbolID sym);
+
/// getVarRegion - Retrieve or create the memory region associated with
/// a specified VarDecl. 'superRegion' corresponds to the containing
/// memory region, and 'off' is the offset within the containing region.
- VarRegion* getVarRegion(const VarDecl* vd, MemRegion* superRegion);
+ VarRegion* getVarRegion(const VarDecl* vd, const MemRegion* superRegion);
VarRegion* getVarRegion(const VarDecl* vd) {
return getVarRegion(vd, vd->hasLocalStorage() ? getStackRegion()
/// a specified FieldDecl. 'superRegion' corresponds to the containing
/// memory region (which typically represents the memory representing
/// a structure or class).
- FieldRegion* getFieldRegion(const FieldDecl* fd, MemRegion* superRegion);
+ FieldRegion* getFieldRegion(const FieldDecl* fd, const MemRegion* superRegion);
/// getObjCIvarRegion - Retrieve or create the memory region associated with
/// a specified Objective-c instance variable. 'superRegion' corresponds
/// to the containing region (which typically represents the Objective-C
/// object).
ObjCIvarRegion* getObjCIvarRegion(const ObjCIvarDecl* ivd,
- MemRegion* superRegion);
+ const MemRegion* superRegion);
AnonPointeeRegion* getAnonPointeeRegion(const VarDecl* d);
public:
MemRegionVal(const MemRegion* r) : Loc(MemRegionKind, r) {}
- MemRegion* getRegion() const {
+ const MemRegion* getRegion() const {
return static_cast<MemRegion*>(Data);
}
+ template <typename REGION>
+ const REGION* getRegionAs() const {
+ return llvm::dyn_cast<REGION>(getRegion());
+ }
+
inline bool operator==(const MemRegionVal& R) const {
return getRegion() == R.getRegion();
}
#define LLVM_CLANG_ANALYSIS_STORE_H
#include "clang/Analysis/PathSensitive/RValues.h"
+#include "clang/Analysis/PathSensitive/MemRegion.h"
#include "llvm/ADT/SmallPtrSet.h"
#include "llvm/ADT/SmallSet.h"
#include "llvm/ADT/DenseSet.h"
class Stmt;
class Expr;
class ObjCIvarDecl;
-class MemRegion;
-class MemRegionManager;
class StoreManager {
public:
typedef llvm::DenseSet<SymbolID> DeadSymbolsTy;
virtual ~StoreManager() {}
- virtual SVal GetSVal(Store St, Loc LV, QualType T = QualType()) = 0;
+ virtual SVal GetSVal(Store St, Loc LV, QualType T = QualType()) = 0;
+
+ virtual SVal GetRegionSVal(Store St, const MemRegion* R) {
+ return GetSVal(St, loc::MemRegionVal(R));
+ }
+
virtual Store SetSVal(Store St, Loc LV, SVal V) = 0;
virtual Store Remove(Store St, Loc LV) = 0;
virtual Store getInitialStore() = 0;
private:
- void AddError(TypedRegion* R, Expr* Ex, ExplodedNode<GRState> *N,
+ void AddError(const TypedRegion* R, Expr* Ex, ExplodedNode<GRState> *N,
uint64_t SourceSize, uint64_t TargetSize, uint64_t NumberKind);
};
} // end anonymous namespace
if (!LV)
return false;
- TypedRegion* R = dyn_cast<TypedRegion>(LV->getRegion());
+ const TypedRegion* R = dyn_cast<TypedRegion>(LV->getRegion());
if (!R)
return false;
return SourceSize < TargetSize;
}
-void AuditCFNumberCreate::AddError(TypedRegion* R, Expr* Ex,
+void AuditCFNumberCreate::AddError(const TypedRegion* R, Expr* Ex,
ExplodedNode<GRState> *N,
uint64_t SourceSize, uint64_t TargetSize,
uint64_t NumberKind) {
SVal BasicStoreManager::getLValueField(const GRState* St, const FieldDecl* D,
SVal Base) {
- return UnknownVal();
+
+ if (Base.isUnknownOrUndef())
+ return Base;
+
+ Loc BaseL = cast<Loc>(Base);
+ const MemRegion* BaseR = 0;
+
+ switch(BaseL.getSubKind()) {
+ case loc::SymbolValKind:
+ BaseR = MRMgr.getSymbolicRegion(cast<loc::SymbolVal>(&BaseL)->getSymbol());
+ break;
+
+ case loc::GotoLabelKind:
+ case loc::FuncValKind:
+ // Technically we can get here if people do funny things with casts.
+ return UndefinedVal();
+
+ case loc::MemRegionKind:
+ BaseR = cast<loc::MemRegionVal>(BaseL).getRegion();
+ break;
+
+ case loc::ConcreteIntKind:
+ case loc::StringLiteralValKind:
+ // While these seem funny, this can happen through casts.
+ // FIXME: What we should return is the field offset. For example,
+ // add the field offset to the integer value. That way funny things
+ // like this work properly: &(((struct foo *) 0xa)->f)
+ return Base;
+
+ default:
+ assert ("Unhandled Base.");
+ return Base;
+ }
+
+ return loc::MemRegionVal(MRMgr.getFieldRegion(D, BaseR));
}
SVal BasicStoreManager::getLValueElement(const GRState* St, SVal Base,
switch (LV.getSubKind()) {
case loc::MemRegionKind: {
- VarRegion* R =
+ const VarRegion* R =
dyn_cast<VarRegion>(cast<loc::MemRegionVal>(LV).getRegion());
if (!R)
Store BasicStoreManager::SetSVal(Store store, Loc LV, SVal V) {
switch (LV.getSubKind()) {
case loc::MemRegionKind: {
- VarRegion* R =
+ const VarRegion* R =
dyn_cast<VarRegion>(cast<loc::MemRegionVal>(LV).getRegion());
if (!R)
Store BasicStoreManager::Remove(Store store, Loc LV) {
switch (LV.getSubKind()) {
case loc::MemRegionKind: {
- VarRegion* R =
- dyn_cast<VarRegion>(cast<loc::MemRegionVal>(LV).getRegion());
+ const VarRegion* R =
+ dyn_cast<VarRegion>(cast<loc::MemRegionVal>(LV).getRegion());
if (!R)
return store;
state = state.remove<RefBindings>(Sym);
}
- TypedRegion* R = dyn_cast<TypedRegion>(MR->getRegion());
+ const TypedRegion* R = dyn_cast<TypedRegion>(MR->getRegion());
if (R) {
// Set the value of the variable to be a conjured symbol.
unsigned Count = Builder.getCurrentBlockCount();
if (!isa<loc::MemRegionVal>(TargetLV))
escapes = true;
else {
- MemRegion* R = cast<loc::MemRegionVal>(TargetLV).getRegion();
+ const MemRegion* R = cast<loc::MemRegionVal>(TargetLV).getRegion();
escapes = !Eng.getStateManager().hasStackStorage(R);
}
GRExprEngine& Eng, GRBugReporter& BR,
bool isNSErrorWarning) {
- SVal ParamSVal = rootState.GetLValue(Param);
+ SVal ParamL = rootState.GetLValue(Param);
+ const MemRegion* ParamR = cast<loc::MemRegionVal>(ParamL).getRegionAs<VarRegion>();
+ assert (ParamR && "Parameters always have VarRegions.");
+ SVal ParamSVal = rootState.GetSVal(ParamR);
+
// FIXME: For now assume that ParamSVal is symbolic. We need to generalize
// this later.
DeclRegion::ProfileRegion(ID, D, superRegion, getKind());
}
+void SymbolicRegion::ProfileRegion(llvm::FoldingSetNodeID& ID, SymbolID sym) {
+ ID.AddInteger((unsigned) MemRegion::SymbolicRegionKind);
+ ID.AddInteger(sym.getNumber());
+}
+
+void SymbolicRegion::Profile(llvm::FoldingSetNodeID& ID) const {
+ SymbolicRegion::ProfileRegion(ID, sym);
+}
+
//===----------------------------------------------------------------------===//
// Region pretty-printing.
//===----------------------------------------------------------------------===//
os << cast<VarDecl>(D)->getName();
}
+void SymbolicRegion::print(llvm::raw_ostream& os) const {
+ os << "$" << sym.getNumber();
+}
+
//===----------------------------------------------------------------------===//
// MemRegionManager methods.
//===----------------------------------------------------------------------===//
}
VarRegion* MemRegionManager::getVarRegion(const VarDecl* d,
- MemRegion* superRegion) {
+ const MemRegion* superRegion) {
llvm::FoldingSetNodeID ID;
DeclRegion::ProfileRegion(ID, d, superRegion, MemRegion::VarRegionKind);
return R;
}
+/// getSymbolicRegion - Retrieve or create a "symbolic" memory region.
+SymbolicRegion* MemRegionManager::getSymbolicRegion(const SymbolID sym) {
+
+ llvm::FoldingSetNodeID ID;
+ SymbolicRegion::ProfileRegion(ID, sym);
+
+ void* InsertPos;
+ MemRegion* data = Regions.FindNodeOrInsertPos(ID, InsertPos);
+ SymbolicRegion* R = cast_or_null<SymbolicRegion>(data);
+
+ if (!R) {
+ R = (SymbolicRegion*) A.Allocate<SymbolicRegion>();
+ new (R) SymbolicRegion(sym);
+ Regions.InsertNode(R, InsertPos);
+ }
+
+ return R;
+}
+
FieldRegion* MemRegionManager::getFieldRegion(const FieldDecl* d,
- MemRegion* superRegion) {
+ const MemRegion* superRegion) {
llvm::FoldingSetNodeID ID;
DeclRegion::ProfileRegion(ID, d, superRegion, MemRegion::FieldRegionKind);
return R;
}
-ObjCIvarRegion* MemRegionManager::getObjCIvarRegion(const ObjCIvarDecl* d,
- MemRegion* superRegion) {
+ObjCIvarRegion*
+MemRegionManager::getObjCIvarRegion(const ObjCIvarDecl* d,
+ const MemRegion* superRegion) {
llvm::FoldingSetNodeID ID;
DeclRegion::ProfileRegion(ID, d, superRegion, MemRegion::ObjCIvarRegionKind);
}
bool MemRegionManager::hasStackStorage(const MemRegion* R) {
+ const SubRegion* SR = dyn_cast<SubRegion>(R);
+
+ // Only subregions can have stack storage.
+ if (!SR)
+ return false;
+
MemSpaceRegion* S = getStackRegion();
- while (R) {
- if (R == S) return true;
- R = R->getSuperRegion();
+ while (SR) {
+ R = SR->getSuperRegion();
+ if (R == S)
+ return true;
+
+ SR = dyn_cast<SubRegion>(R);
}
return false;
Store RegionStoreManager::SetSVal(Store store, Loc LV, SVal V) {
assert(LV.getSubKind() == loc::MemRegionKind);
- MemRegion* R = cast<loc::MemRegionVal>(LV).getRegion();
+ const MemRegion* R = cast<loc::MemRegionVal>(LV).getRegion();
if (!R)
return store;
projects / clang / commitdiff