virtual bool EvalCallExpr(CheckerContext &C, const CallExpr *CE) {
return false;
}
+
+ virtual const GRState *EvalAssume(const GRState *state, SVal Cond,
+ bool Assumption) {
+ return state;
+ }
};
} // end clang namespace
typedef llvm::DenseMap<void *, unsigned> CheckerMap;
CheckerMap CheckerM;
- typedef std::vector<std::pair<void *, Checker*> >CheckersOrdered;
+ typedef std::vector<std::pair<void *, Checker*> > CheckersOrdered;
CheckersOrdered Checkers;
/// BR - The BugReporter associated with this engine. It is important that
GRStmtNodeBuilder &getBuilder() { assert(Builder); return *Builder; }
/// setTransferFunctions
- void setTransferFunctions(GRTransferFuncs* tf);
+ void setTransferFunctionsAndCheckers(GRTransferFuncs* tf);
void setTransferFunctions(GRTransferFuncs& tf) {
- setTransferFunctions(&tf);
+ setTransferFunctionsAndCheckers(&tf);
}
/// ViewGraph - Visualize the ExplodedGraph created by executing the
class GRStateManager;
class GRTransferFuncs;
+class Checker;
typedef ConstraintManager* (*ConstraintManagerCreator)(GRStateManager&);
typedef StoreManager* (*StoreManagerCreator)(GRStateManager&);
SymbolManager &getSymbolManager() const;
GRTransferFuncs &getTransferFuncs() const;
+ std::vector<std::pair<void *, Checker *> >::iterator checker_begin() const;
+ std::vector<std::pair<void *, Checker *> >::iterator checker_end() const;
+
//==---------------------------------------------------------------------==//
// Constraints on values.
//==---------------------------------------------------------------------==//
/// for manipulating and creating SVals.
GRTransferFuncs* TF;
+ /// Reference to all checkers in GRExprEngine.
+ std::vector<std::pair<void *, Checker*> > *Checkers;
+
public:
GRStateManager(ASTContext& Ctx,
GRTransferFuncs& getTransferFuncs() { return *TF; }
+ std::vector<std::pair<void *, Checker *> > &getCheckers() { return *Checkers;}
+
BasicValueFactory &getBasicVals() {
return ValueMgr.getBasicValueFactory();
}
return getStateManager().getTransferFuncs();
}
+inline std::vector<std::pair<void *, Checker *> >::iterator
+GRState::checker_begin() const {
+ return getStateManager().getCheckers().begin();
+}
+
+inline std::vector<std::pair<void *, Checker *> >::iterator
+GRState::checker_end() const {
+ return getStateManager().getCheckers().end();
+}
+
template<typename T>
const GRState *GRState::add(typename GRStateTrait<T>::key_type K) const {
return getStateManager().add<T>(this, K, get_context<T>());
// Utility methods.
//===----------------------------------------------------------------------===//
-void GRExprEngine::setTransferFunctions(GRTransferFuncs* tf) {
+void GRExprEngine::setTransferFunctionsAndCheckers(GRTransferFuncs* tf) {
StateMgr.TF = tf;
+ StateMgr.Checkers = &Checkers;
tf->RegisterChecks(*this);
tf->RegisterPrinters(getStateManager().Printers);
}
namespace {
class RefState {
- enum Kind { Allocated, Released, Escaped } K;
+ enum Kind { AllocateUnchecked, AllocateFailed, Released, Escaped } K;
const Stmt *S;
public:
RefState(Kind k, const Stmt *s) : K(k), S(s) {}
- bool isAllocated() const { return K == Allocated; }
+ bool isAllocated() const { return K == AllocateUnchecked; }
bool isReleased() const { return K == Released; }
bool isEscaped() const { return K == Escaped; }
return K == X.K && S == X.S;
}
- static RefState getAllocated(const Stmt *s) { return RefState(Allocated, s); }
+ static RefState getAllocateUnchecked(const Stmt *s) {
+ return RefState(AllocateUnchecked, s);
+ }
+ static RefState getAllocateFailed() {
+ return RefState(AllocateFailed, 0);
+ }
static RefState getReleased(const Stmt *s) { return RefState(Released, s); }
static RefState getEscaped(const Stmt *s) { return RefState(Escaped, s); }
void EvalDeadSymbols(CheckerContext &C,const Stmt *S,SymbolReaper &SymReaper);
void EvalEndPath(GREndPathNodeBuilder &B, void *tag, GRExprEngine &Eng);
void PreVisitReturnStmt(CheckerContext &C, const ReturnStmt *S);
+ const GRState *EvalAssume(const GRState *state, SVal Cond, bool Assumption);
+
private:
void MallocMem(CheckerContext &C, const CallExpr *CE);
const GRState *MallocMemAux(CheckerContext &C, const CallExpr *CE,
};
} // end anonymous namespace
+typedef llvm::ImmutableMap<SymbolRef, RefState> RegionStateTy;
+
namespace clang {
template <>
struct GRStateTrait<RegionState>
SymbolRef Sym = RetVal.getAsLocSymbol();
assert(Sym);
// Set the symbol's state to Allocated.
- return state->set<RegionState>(Sym, RefState::getAllocated(CE));
+ return state->set<RegionState>(Sym, RefState::getAllocateUnchecked(CE));
}
void MallocChecker::FreeMem(CheckerContext &C, const CallExpr *CE) {
C.addTransition(state);
}
+
+const GRState *MallocChecker::EvalAssume(const GRState *state, SVal Cond,
+ bool Assumption) {
+ // If a symblic region is assumed to NULL, set its state to AllocateFailed.
+ // FIXME: should also check symbols assumed to non-null.
+
+ RegionStateTy RS = state->get<RegionState>();
+
+ for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
+ if (state->getSymVal(I.getKey()))
+ state = state->set<RegionState>(I.getKey(),RefState::getAllocateFailed());
+ }
+
+ return state;
+}
#include "SimpleConstraintManager.h"
#include "clang/Analysis/PathSensitive/GRExprEngine.h"
#include "clang/Analysis/PathSensitive/GRState.h"
+#include "clang/Analysis/PathSensitive/Checker.h"
namespace clang {
// EvalAssume is used to call into the GRTransferFunction object to perform
// any checker-specific update of the state based on this assumption being
// true or false.
- return state ? state->getTransferFuncs().EvalAssume(state, Cond, Assumption)
- : NULL;
+
+ if (!state)
+ return 0;
+
+ std::vector<std::pair<void *, Checker*> >::iterator
+ I = state->checker_begin(), E = state->checker_end();
+
+ for (; I != E; ++I) {
+ state = I->second->EvalAssume(state, Cond, Assumption);
+ }
+ return state->getTransferFuncs().EvalAssume(state, Cond, Assumption);
}
const GRState *SimpleConstraintManager::AssumeAux(const GRState *state,
// EvalAssume is used to call into the GRTransferFunction object to perform
// any checker-specific update of the state based on this assumption being
// true or false.
- return state ? state->getTransferFuncs().EvalAssume(state, Cond, Assumption)
- : NULL;
+
+ if (!state)
+ return 0;
+
+ std::vector<std::pair<void *, Checker*> >::iterator
+ I = state->checker_begin(), E = state->checker_end();
+
+ for (; I != E; ++I) {
+ state = I->second->EvalAssume(state, Cond, Assumption);
+ }
+
+ return state->getTransferFuncs().EvalAssume(state, Cond, Assumption);
}
const GRState *SimpleConstraintManager::AssumeAux(const GRState *state,
if (C.Opts.EnableExperimentalChecks)
RegisterExperimentalChecks(Eng);
- Eng.setTransferFunctions(tf);
+ Eng.setTransferFunctionsAndCheckers(tf);
// Set the graph auditor.
llvm::OwningPtr<ExplodedNode::Auditor> Auditor;
// Make a fake transfer function. The GRTransferFunc interface will be
// removed.
- Eng.setTransferFunctions(new GRTransferFuncs());
+ Eng.setTransferFunctionsAndCheckers(new GRTransferFuncs());
// Register call inliner as the last checker.
RegisterCallInliner(Eng);
q = realloc(q, 20);
return q; // no-warning
}
+
+void f6() {
+ int *p = malloc(10);
+ if (!p)
+ return; // no-warning
+ else
+ free(p);
+}
projects / clang / commitdiff