From 41168eac256fed59ec5406a75fce91c59cd5dd91 Mon Sep 17 00:00:00 2001
From: Ted Kremenek <kremenek@apple.com>
Date: Wed, 4 Mar 2009 02:43:08 +0000
Subject: [PATCH] Added the notion of a "boundable region", which is a region
 that can have a direct binding in the StoreManager.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@66005 91177308-0d34-0410-b5e6-96231b3b80d8
---
 .../clang/Analysis/PathSensitive/GRState.h    |  6 +++++
 .../clang/Analysis/PathSensitive/MemRegion.h  | 12 ++++++++++
 lib/Analysis/CFRefCount.cpp                   |  2 +-
 lib/Analysis/MemRegion.cpp                    | 22 ++++++++++++++-----
 4 files changed, 35 insertions(+), 7 deletions(-)

diff --git a/include/clang/Analysis/PathSensitive/GRState.h b/include/clang/Analysis/PathSensitive/GRState.h
index b3f4dea860..9c30aa631d 100644
--- a/include/clang/Analysis/PathSensitive/GRState.h
+++ b/include/clang/Analysis/PathSensitive/GRState.h
@@ -488,6 +488,12 @@ public:
   }  
 
   SVal GetSValAsScalarOrLoc(const GRState* state, const MemRegion *R) {
+    // We only want to do fetches from regions that we can actually bind
+    // values.  For example, SymbolicRegions of type 'id<...>' cannot
+    // have direct bindings (but their can be bindings on their subregions).
+    if (!R->isBoundable(getContext()))
+      return UnknownVal();
+    
     if (const TypedRegion *TR = dyn_cast<TypedRegion>(R)) {
       QualType T = TR->getRValueType(getContext());
       if (Loc::IsLocType(T) || T->isIntegerType())
diff --git a/include/clang/Analysis/PathSensitive/MemRegion.h b/include/clang/Analysis/PathSensitive/MemRegion.h
index cd7011e53a..743a3b9098 100644
--- a/include/clang/Analysis/PathSensitive/MemRegion.h
+++ b/include/clang/Analysis/PathSensitive/MemRegion.h
@@ -69,6 +69,8 @@ public:
   virtual void print(llvm::raw_ostream& os) const;  
   
   Kind getKind() const { return kind; }  
+  
+  virtual bool isBoundable(ASTContext&) const { return true; }
 
   static bool classof(const MemRegion*) { return true; }
 };
@@ -84,6 +86,8 @@ public:
 
   void Profile(llvm::FoldingSetNodeID& ID) const;
 
+  bool isBoundable(ASTContext &) const { return false; }
+
   static bool classof(const MemRegion* R) {
     return R->getKind() == MemSpaceRegionKind;
   }
@@ -156,6 +160,13 @@ public:
   QualType getDesugaredLValueType(ASTContext& C) const {
     return getLValueType(C)->getDesugaredType();
   }
+  
+  bool isBoundable(ASTContext &C) const {
+    // FIXME: This needs to be adjusted for structures and arrays.
+    // All this will reject right now is ObjCQualifiedIdType and
+    // BlockPointerType.
+    return getLValueType(C)->isPointerType();
+  }
 
   static bool classof(const MemRegion* R) {
     unsigned k = R->getKind();
@@ -182,6 +193,7 @@ public:
   }
 
   QualType getRValueType(ASTContext& C) const;
+  QualType getLValueType(ASTContext& C) const;
 
   void Profile(llvm::FoldingSetNodeID& ID) const;
 
diff --git a/lib/Analysis/CFRefCount.cpp b/lib/Analysis/CFRefCount.cpp
index 13805dc5de..5e1857168d 100644
--- a/lib/Analysis/CFRefCount.cpp
+++ b/lib/Analysis/CFRefCount.cpp
@@ -1650,7 +1650,7 @@ void CFRefCount::EvalSummary(ExplodedNodeSet<GRState>& Dst,
           R = dyn_cast<TypedRegion>(ATR->getSuperRegion());
         }
         
-        if (R) {          
+        if (R && R->isBoundable(Ctx)) {          
           // Is the invalidated variable something that we were tracking?
           SymbolRef Sym = state.GetSValAsScalarOrLoc(R).getAsLocSymbol();
           if (Sym.isValid())
diff --git a/lib/Analysis/MemRegion.cpp b/lib/Analysis/MemRegion.cpp
index f78d937df8..8dd31b54b0 100644
--- a/lib/Analysis/MemRegion.cpp
+++ b/lib/Analysis/MemRegion.cpp
@@ -117,12 +117,22 @@ QualType SymbolicRegion::getRValueType(ASTContext& C) const {
   // Get the type of the symbol.
   QualType T = data.getType(C);
 
-  // Only when the symbol has pointer type it can have a symbolic region
-  // associated with it.
-  PointerType* PTy = cast<PointerType>(T.getTypePtr()->getDesugaredType());
+  if (const PointerType* PTy = T->getAsPointerType())
+    return PTy->getPointeeType();
+    
+  if (const BlockPointerType* PTy = T->getAsBlockPointerType())
+    return PTy->getPointeeType();
 
-  // The type of the symbolic region is the pointee type of the symbol.
-  return PTy->getPointeeType();
+  assert(!T->getAsObjCQualifiedIdType() &&
+         "There is no rvalue type for id<...>");  
+  
+  assert(Loc::IsLocType(T) && "Non-location type.");
+  return QualType();
+}
+
+QualType SymbolicRegion::getLValueType(ASTContext& C) const {
+  const SymbolData& data = SymMgr.getSymbolData(sym);
+  return data.getType(C);
 }
 
 QualType ElementRegion::getRValueType(ASTContext& C) const {
@@ -161,7 +171,7 @@ void AllocaRegion::print(llvm::raw_ostream& os) const {
 }
 
 void TypedViewRegion::print(llvm::raw_ostream& os) const {
-  os << "anon_type{" << T.getAsString() << ',';
+  os << "typed_view{" << T.getAsString() << ',';
   getSuperRegion()->print(os);
   os << '}';
 }
-- 
2.40.0