virtual QualType getLocationType() const {
// FIXME: We can possibly optimize this later to cache this value.
- return getContext().getPointerType(getValueType());
+ QualType T = getValueType();
+ ASTContext &ctx = getContext();
+ if (T->getAs<ObjCObjectType>())
+ return ctx.getObjCObjectPointerType(T);
+ return ctx.getPointerType(getValueType());
}
QualType getDesugaredValueType(ASTContext &Context) const {
/// casted and 'CastToTy' the result type of the cast.
const MemRegion *CastRegion(const MemRegion *region, QualType CastToTy);
-
- /// evalBinOp - Perform pointer arithmetic.
- virtual SVal evalBinOp(BinaryOperator::Opcode Op,
- Loc lhs, NonLoc rhs, QualType resultTy) {
- return UnknownVal();
- }
-
virtual Store RemoveDeadBindings(Store store, const StackFrameContext *LCtx,
SymbolReaper& SymReaper,
llvm::SmallVectorImpl<const MemRegion*>& RegionRoots) = 0;
SVal SimpleSValBuilder::evalBinOpLN(const GRState *state,
BinaryOperator::Opcode op,
Loc lhs, NonLoc rhs, QualType resultTy) {
+
+ // Special case: rhs is a zero constant.
+ if (rhs.isZeroConstant())
+ return lhs;
+
// Special case: 'rhs' is an integer that has the same width as a pointer and
// we are using the integer location in a comparison. Normally this cannot be
// triggered, but transfer functions like those for OSCommpareAndSwapBarrier32
return loc::ConcreteInt(getBasicValueFactory().getValue(rightI));
}
}
-
- // Delegate remaining pointer arithmetic to the StoreManager.
- return state->getStateManager().getStoreManager().evalBinOp(op, lhs,
- rhs, resultTy);
+ // Handle cases where 'lhs' is a region.
+ if (const MemRegion *region = lhs.getAsRegion()) {
+ rhs = cast<NonLoc>(convertToArrayIndex(rhs));
+ SVal index = UnknownVal();
+ const MemRegion *superR = 0;
+ QualType elementType;
+
+ if (const ElementRegion *elemReg = dyn_cast<ElementRegion>(region)) {
+ index = evalBinOpNN(state, BO_Add, elemReg->getIndex(), rhs,
+ getArrayIndexType());
+ superR = elemReg->getSuperRegion();
+ elementType = elemReg->getElementType();
+ }
+ else if (isa<SubRegion>(region)) {
+ superR = region;
+ index = rhs;
+ if (const PointerType *PT = resultTy->getAs<PointerType>()) {
+ elementType = PT->getPointeeType();
+ }
+ else {
+ const ObjCObjectPointerType *OT =
+ resultTy->getAs<ObjCObjectPointerType>();
+ elementType = OT->getPointeeType();
+ }
+ }
+
+ if (NonLoc *indexV = dyn_cast<NonLoc>(&index)) {
+ return loc::MemRegionVal(MemMgr.getElementRegion(elementType, *indexV,
+ superR, getContext()));
+ }
+ }
+ return UnknownVal();
}
const llvm::APSInt *SimpleSValBuilder::getKnownValue(const GRState *state,
p[99] = 1; // no-warning
}
-// ** FIXME ** Doesn't work yet because we don't support pointer arithmetic.
// Tests doing an out-of-bounds access before the start of an array using:
// - indirect pointer to buffer, manipulated using simple pointer arithmetic
// - constant integer index
int buf[100];
int *p = buf;
p = p + 100;
- p[0] = 1; // no-warning
+ p[0] = 1; // expected-warning{{Out of bound memory access}}
}
void test1_ptr_arith_ok(int x) {
p[0] = 1; // no-warning
}
-// ** FIXME ** Doesn't work yet because we don't support pointer arithmetic.
void test1_ptr_arith_bad(int x) {
int buf[100];
int *p = buf;
p = p + 99;
- p[1] = 1; // no-warning
+ p[1] = 1; // expected-warning{{Out of bound memory access}}
}
-// ** FIXME ** we falsely emit a warning here because of our lack of
-// handling of pointer arithmetic.
void test1_ptr_arith_ok2(int x) {
int buf[100];
int *p = buf;
p = p + 99;
- p[-1] = 1; // expected-warning{{Out of bound}}
+ p[-1] = 1; // no-warning
}
// Tests doing an out-of-bounds access before the start of an array using:
projects / clang / commitdiff