Newer
Older
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
if (AI == AE) {
// Process the receiver.
if (Expr* Receiver = ME->getReceiver()) {
NodeSet Tmp;
Visit(Receiver, Pred, Tmp);
for (NodeSet::iterator NI = Tmp.begin(), NE = Tmp.end(); NI != NE; ++NI)
VisitObjCMessageExprDispatchHelper(ME, *NI, Dst);
return;
}
VisitObjCMessageExprDispatchHelper(ME, Pred, Dst);
return;
}
NodeSet Tmp;
Visit(*AI, Pred, Tmp);
++AI;
for (NodeSet::iterator NI = Tmp.begin(), NE = Tmp.end(); NI != NE; ++NI)
VisitObjCMessageExprArgHelper(ME, AI, AE, *NI, Dst);
}
void GRExprEngine::VisitObjCMessageExprDispatchHelper(ObjCMessageExpr* ME,
NodeTy* Pred,
NodeSet& Dst) {
// FIXME: More logic for the processing the method call.
ValueState* St = GetState(Pred);
if (Expr* Receiver = ME->getReceiver()) {
RVal L = GetRVal(St, Receiver);
// Check for undefined control-flow or calls to NULL.
if (L.isUndef()) {
NodeTy* N = Builder->generateNode(ME, St, Pred);
if (N) {
N->markAsSink();
UndefReceivers.insert(N);
}
return;
}
}
// Check for any arguments that are uninitialized/undefined.
for (ObjCMessageExpr::arg_iterator I = ME->arg_begin(), E = ME->arg_end();
I != E; ++I) {
if (GetRVal(St, *I).isUndef()) {
// Generate an error node for passing an uninitialized/undefined value
// as an argument to a message expression. This node is a sink.
NodeTy* N = Builder->generateNode(ME, St, Pred);
if (N) {
N->markAsSink();
MsgExprUndefArgs[N] = *I;
}
return;
}
}
// Dispatch to plug-in transfer function.
unsigned size = Dst.size();
SaveAndRestore<bool> OldSink(Builder->BuildSinks),
OldHasGen(Builder->HasGeneratedNode);
Builder->HasGeneratedNode = false;
EvalObjCMessageExpr(Dst, ME, Pred);
// Handle the case where no nodes where generated. Auto-generate that
// contains the updated state if we aren't generating sinks.
if (!Builder->BuildSinks && Dst.size() == size && !Builder->HasGeneratedNode)
MakeNode(Dst, ME, Pred, St);
//===----------------------------------------------------------------------===//
// Transfer functions: Miscellaneous statements.
//===----------------------------------------------------------------------===//
void GRExprEngine::VisitCast(Expr* CastE, Expr* Ex, NodeTy* Pred, NodeSet& Dst){
NodeSet S1;
QualType T = CastE->getType();
if (T->isReferenceType())
VisitLVal(Ex, Pred, S1);
else
Visit(Ex, Pred, S1);
Ted Kremenek
committed
// Check for casting to "void".
if (T->isVoidType()) {
for (NodeSet::iterator I1 = S1.begin(), E1 = S1.end(); I1 != E1; ++I1)
Dst.Add(*I1);
return;
}
Ted Kremenek
committed
// FIXME: The rest of this should probably just go into EvalCall, and
// let the transfer function object be responsible for constructing
// nodes.
QualType ExTy = Ex->getType();
for (NodeSet::iterator I1 = S1.begin(), E1 = S1.end(); I1 != E1; ++I1) {
NodeTy* N = *I1;
ValueState* St = GetState(N);
RVal V = T->isReferenceType() ? GetLVal(St, Ex) : GetRVal(St, Ex);
Ted Kremenek
committed
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
// Unknown?
if (V.isUnknown()) {
Dst.Add(N);
continue;
}
// Undefined?
if (V.isUndef()) {
MakeNode(Dst, CastE, N, SetRVal(St, CastE, V));
continue;
}
// Check for casts from pointers to integers.
if (T->isIntegerType() && ExTy->isPointerType()) {
unsigned bits = getContext().getTypeSize(ExTy);
// FIXME: Determine if the number of bits of the target type is
// equal or exceeds the number of bits to store the pointer value.
// If not, flag an error.
V = nonlval::LValAsInteger::Make(BasicVals, cast<LVal>(V), bits);
MakeNode(Dst, CastE, N, SetRVal(St, CastE, V));
continue;
}
// Check for casts from integers to pointers.
if (T->isPointerType() && ExTy->isIntegerType())
if (nonlval::LValAsInteger *LV = dyn_cast<nonlval::LValAsInteger>(&V)) {
// Just unpackage the lval and return it.
V = LV->getLVal();
MakeNode(Dst, CastE, N, SetRVal(St, CastE, V));
continue;
}
// All other cases.
MakeNode(Dst, CastE, N, SetRVal(St, CastE, EvalCast(V, CastE->getType())));
void GRExprEngine::VisitDeclStmt(DeclStmt* DS, GRExprEngine::NodeTy* Pred,
GRExprEngine::NodeSet& Dst) {
ValueState* St = GetState(Pred);
for (const ScopedDecl* D = DS->getDecl(); D; D = D->getNextDeclarator())
if (const VarDecl* VD = dyn_cast<VarDecl>(D)) {
// FIXME: Add support for local arrays.
if (VD->getType()->isArrayType())
continue;
Ted Kremenek
committed
const Expr* Ex = VD->getInit();
Ted Kremenek
committed
if (!VD->hasGlobalStorage() || VD->getStorageClass() == VarDecl::Static) {
// In this context, Static => Local variable.
assert (!VD->getStorageClass() == VarDecl::Static ||
!VD->isFileVarDecl());
Ted Kremenek
committed
// If there is no initializer, set the value of the
Ted Kremenek
committed
// variable to "Undefined".
Ted Kremenek
committed
//
// FIXME: static variables may have an initializer, but the second
// time a function is called those values may not be current.
QualType T = VD->getType();
Ted Kremenek
committed
if ( VD->getStorageClass() == VarDecl::Static) {
// C99: 6.7.8 Initialization
// If an object that has static storage duration is not initialized
// explicitly, then:
// —if it has pointer type, it is initialized to a null pointer;
// —if it has arithmetic type, it is initialized to (positive or
// unsigned) zero;
// FIXME: Handle structs. Now we treat their values as unknown.
if (T->isPointerType()) {
St = SetRVal(St, lval::DeclVal(VD),
lval::ConcreteInt(BasicVals.getValue(0, T)));
}
else if (T->isIntegerType()) {
St = SetRVal(St, lval::DeclVal(VD),
nonlval::ConcreteInt(BasicVals.getValue(0, T)));
}
}
else {
// FIXME: Handle structs. Now we treat them as unknown. What
// we need to do is treat their members as unknown.
if (T->isPointerType() || T->isIntegerType())
St = SetRVal(St, lval::DeclVal(VD),
Ex ? GetRVal(St, Ex) : UndefinedVal());
}
Ted Kremenek
committed
}
/// VisitSizeOfAlignOfTypeExpr - Transfer function for sizeof(type).
void GRExprEngine::VisitSizeOfAlignOfTypeExpr(SizeOfAlignOfTypeExpr* Ex,
NodeTy* Pred,
NodeSet& Dst) {
QualType T = Ex->getArgumentType();
uint64_t amt;
if (Ex->isSizeOf()) {
// FIXME: Add support for VLAs.
if (!T.getTypePtr()->isConstantSizeType())
return;
amt = 1; // Handle sizeof(void)
if (T != getContext().VoidTy)
amt = getContext().getTypeSize(T) / 8;
}
else // Get alignment of the type.
amt = getContext().getTypeAlign(T) / 8;
SetRVal(GetState(Pred), Ex,
NonLVal::MakeVal(BasicVals, amt, Ex->getType())));
}
void GRExprEngine::VisitDeref(UnaryOperator* U, NodeTy* Pred,
NodeSet& Dst, bool GetLVal) {
Ted Kremenek
committed
Expr* Ex = U->getSubExpr()->IgnoreParens();
Ted Kremenek
committed
NodeSet DstTmp;
DstTmp.Add(Pred);
Visit(Ex, Pred, DstTmp);
for (NodeSet::iterator I = DstTmp.begin(), DE = DstTmp.end(); I != DE; ++I) {
Ted Kremenek
committed
ValueState* St = GetState(Pred);
RVal V = GetRVal(St, Ex);
Ted Kremenek
committed
VisitDeref(U, V, St, Pred, Dst, GetLVal);
}
}
void GRExprEngine::VisitDeref(Expr* Ex, RVal V, ValueState* St, NodeTy* Pred,
NodeSet& Dst, bool GetLVal) {
// Check for dereferences of undefined values.
if (V.isUndef()) {
if (NodeTy* Succ = Builder->generateNode(Ex, St, Pred)) {
Succ->markAsSink();
UndefDeref.insert(Succ);
}
Ted Kremenek
committed
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
return;
}
// Check for dereferences of unknown values. Treat as No-Ops.
if (V.isUnknown()) {
Dst.Add(Pred);
return;
}
// After a dereference, one of two possible situations arise:
// (1) A crash, because the pointer was NULL.
// (2) The pointer is not NULL, and the dereference works.
//
// We add these assumptions.
LVal LV = cast<LVal>(V);
bool isFeasibleNotNull;
// "Assume" that the pointer is Not-NULL.
ValueState* StNotNull = Assume(St, LV, true, isFeasibleNotNull);
if (isFeasibleNotNull) {
Ted Kremenek
committed
if (GetLVal)
MakeNode(Dst, Ex, Pred, SetRVal(StNotNull, Ex, LV));
else {
Ted Kremenek
committed
// FIXME: Currently symbolic analysis "generates" new symbols
// for the contents of values. We need a better approach.
MakeNode(Dst, Ex, Pred,
SetRVal(StNotNull, Ex, GetRVal(StNotNull, LV, Ex->getType())));
}
Ted Kremenek
committed
}
bool isFeasibleNull;
// Now "assume" that the pointer is NULL.
ValueState* StNull = Assume(St, LV, false, isFeasibleNull);
if (isFeasibleNull) {
Ted Kremenek
committed
// We don't use "MakeNode" here because the node will be a sink
// and we have no intention of processing it later.
Ted Kremenek
committed
NodeTy* NullNode = Builder->generateNode(Ex, StNull, Pred);
Ted Kremenek
committed
if (NullNode) {
Ted Kremenek
committed
NullNode->markAsSink();
Ted Kremenek
committed
if (isFeasibleNotNull) ImplicitNullDeref.insert(NullNode);
else ExplicitNullDeref.insert(NullNode);
}
}
}
void GRExprEngine::VisitUnaryOperator(UnaryOperator* U, NodeTy* Pred,
NodeSet& Dst) {
NodeSet S1;
assert (U->getOpcode() != UnaryOperator::Deref);
assert (U->getOpcode() != UnaryOperator::SizeOf);
assert (U->getOpcode() != UnaryOperator::AlignOf);
bool use_GetLVal = false;
switch (U->getOpcode()) {
case UnaryOperator::PostInc:
case UnaryOperator::PostDec:
case UnaryOperator::PreInc:
case UnaryOperator::PreDec:
case UnaryOperator::AddrOf:
// Evalue subexpression as an LVal.
use_GetLVal = true;
VisitLVal(U->getSubExpr(), Pred, S1);
break;
default:
Visit(U->getSubExpr(), Pred, S1);
break;
}
for (NodeSet::iterator I1 = S1.begin(), E1 = S1.end(); I1 != E1; ++I1) {
NodeTy* N1 = *I1;
ValueState* St = GetState(N1);
RVal SubV = use_GetLVal ? GetLVal(St, U->getSubExpr()) :
GetRVal(St, U->getSubExpr());
if (SubV.isUnknown()) {
Dst.Add(N1);
continue;
}
Ted Kremenek
committed
if (SubV.isUndef()) {
MakeNode(Dst, U, N1, SetRVal(St, U, SubV));
continue;
}
if (U->isIncrementDecrementOp()) {
// Handle ++ and -- (both pre- and post-increment).
LVal SubLV = cast<LVal>(SubV);
RVal V = GetRVal(St, SubLV, U->getType());
if (V.isUnknown()) {
Dst.Add(N1);
continue;
}
Ted Kremenek
committed
// Propagate undefined values.
if (V.isUndef()) {
continue;
}
// Handle all other values.
BinaryOperator::Opcode Op = U->isIncrementOp() ? BinaryOperator::Add
: BinaryOperator::Sub;
RVal Result = EvalBinOp(Op, V, MakeConstantVal(1U, U));
if (U->isPostfix())
St = SetRVal(SetRVal(St, U, V), SubLV, Result);
St = SetRVal(SetRVal(St, U, Result), SubLV, Result);
continue;
}
// Handle all other unary operators.
switch (U->getOpcode()) {
case UnaryOperator::Extension:
St = SetRVal(St, U, SubV);
break;
case UnaryOperator::Minus:
St = SetRVal(St, U, EvalMinus(U, cast<NonLVal>(SubV)));
case UnaryOperator::Not:
St = SetRVal(St, U, EvalComplement(cast<NonLVal>(SubV)));
case UnaryOperator::LNot:
// C99 6.5.3.3: "The expression !E is equivalent to (0==E)."
//
// Note: technically we do "E == 0", but this is the same in the
// transfer functions as "0 == E".
if (isa<LVal>(SubV)) {
lval::ConcreteInt V(BasicVals.getZeroWithPtrWidth());
RVal Result = EvalBinOp(BinaryOperator::EQ, cast<LVal>(SubV), V);
St = SetRVal(St, U, Result);
}
else {
Ted Kremenek
committed
Expr* Ex = U->getSubExpr();
nonlval::ConcreteInt V(BasicVals.getValue(0, Ex->getType()));
RVal Result = EvalBinOp(BinaryOperator::EQ, cast<NonLVal>(SubV), V);
St = SetRVal(St, U, Result);
}
break;
case UnaryOperator::AddrOf: {
assert (isa<LVal>(SubV));
St = SetRVal(St, U, SubV);
break;
}
default: ;
assert (false && "Not implemented.");
}
}
}
void GRExprEngine::VisitSizeOfExpr(UnaryOperator* U, NodeTy* Pred,
NodeSet& Dst) {
QualType T = U->getSubExpr()->getType();
// FIXME: Add support for VLAs.
if (!T.getTypePtr()->isConstantSizeType())
return;
uint64_t size = getContext().getTypeSize(T) / 8;
ValueState* St = GetState(Pred);
St = SetRVal(St, U, NonLVal::MakeVal(BasicVals, size, U->getType()));
}
void GRExprEngine::VisitLVal(Expr* Ex, NodeTy* Pred, NodeSet& Dst) {
Ted Kremenek
committed
Ex = Ex->IgnoreParens();
Ted Kremenek
committed
if (Ex != CurrentStmt && getCFG().isBlkExpr(Ex)) {
Dst.Add(Pred);
Ted Kremenek
committed
switch (Ex->getStmtClass()) {
default:
break;
case Stmt::ArraySubscriptExprClass:
VisitArraySubscriptExpr(cast<ArraySubscriptExpr>(Ex), Pred, Dst, true);
return;
Ted Kremenek
committed
case Stmt::DeclRefExprClass:
Dst.Add(Pred);
Ted Kremenek
committed
case Stmt::UnaryOperatorClass: {
UnaryOperator* U = cast<UnaryOperator>(Ex);
if (U->getOpcode() == UnaryOperator::Deref) {
VisitDeref(U, Pred, Dst, true);
return;
}
break;
Ted Kremenek
committed
case Stmt::MemberExprClass:
VisitMemberExpr(cast<MemberExpr>(Ex), Pred, Dst, true);
return;
}
Visit(Ex, Pred, Dst);
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
void GRExprEngine::VisitAsmStmt(AsmStmt* A, NodeTy* Pred, NodeSet& Dst) {
VisitAsmStmtHelperOutputs(A, A->begin_outputs(), A->end_outputs(), Pred, Dst);
}
void GRExprEngine::VisitAsmStmtHelperOutputs(AsmStmt* A,
AsmStmt::outputs_iterator I,
AsmStmt::outputs_iterator E,
NodeTy* Pred, NodeSet& Dst) {
if (I == E) {
VisitAsmStmtHelperInputs(A, A->begin_inputs(), A->end_inputs(), Pred, Dst);
return;
}
NodeSet Tmp;
VisitLVal(*I, Pred, Tmp);
++I;
for (NodeSet::iterator NI = Tmp.begin(), NE = Tmp.end(); NI != NE; ++NI)
VisitAsmStmtHelperOutputs(A, I, E, *NI, Dst);
}
void GRExprEngine::VisitAsmStmtHelperInputs(AsmStmt* A,
AsmStmt::inputs_iterator I,
AsmStmt::inputs_iterator E,
NodeTy* Pred, NodeSet& Dst) {
if (I == E) {
// We have processed both the inputs and the outputs. All of the outputs
// should evaluate to LVals. Nuke all of their values.
// FIXME: Some day in the future it would be nice to allow a "plug-in"
// which interprets the inline asm and stores proper results in the
// outputs.
ValueState* St = GetState(Pred);
for (AsmStmt::outputs_iterator OI = A->begin_outputs(),
OE = A->end_outputs(); OI != OE; ++OI) {
RVal X = GetLVal(St, *OI);
assert (!isa<NonLVal>(X));
if (isa<LVal>(X))
St = SetRVal(St, cast<LVal>(X), UnknownVal());
}
return;
}
NodeSet Tmp;
Visit(*I, Pred, Tmp);
++I;
for (NodeSet::iterator NI = Tmp.begin(), NE = Tmp.end(); NI != NE; ++NI)
VisitAsmStmtHelperInputs(A, I, E, *NI, Dst);
}
Ted Kremenek
committed
void GRExprEngine::EvalReturn(NodeSet& Dst, ReturnStmt* S, NodeTy* Pred) {
assert (Builder && "GRStmtNodeBuilder must be defined.");
unsigned size = Dst.size();
SaveAndRestore<bool> OldSink(Builder->BuildSinks),
OldHasGen(Builder->HasGeneratedNode);
Ted Kremenek
committed
Builder->HasGeneratedNode = false;
Ted Kremenek
committed
TF->EvalReturn(Dst, *this, *Builder, S, Pred);
// Handle the case where no nodes where generated.
Ted Kremenek
committed
if (!Builder->BuildSinks && Dst.size() == size && !Builder->HasGeneratedNode)
Ted Kremenek
committed
MakeNode(Dst, S, Pred, GetState(Pred));
}
void GRExprEngine::VisitReturnStmt(ReturnStmt* S, NodeTy* Pred, NodeSet& Dst) {
Expr* R = S->getRetValue();
if (!R) {
Ted Kremenek
committed
EvalReturn(Dst, S, Pred);
return;
}
Ted Kremenek
committed
NodeSet DstRet;
QualType T = R->getType();
if (T->isPointerLikeType()) {
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
// Check if any of the return values return the address of a stack variable.
NodeSet Tmp;
Visit(R, Pred, Tmp);
for (NodeSet::iterator I=Tmp.begin(), E=Tmp.end(); I!=E; ++I) {
RVal X = GetRVal((*I)->getState(), R);
if (isa<lval::DeclVal>(X)) {
if (cast<lval::DeclVal>(X).getDecl()->hasLocalStorage()) {
// Create a special node representing the v
NodeTy* RetStackNode = Builder->generateNode(S, GetState(*I), *I);
if (RetStackNode) {
RetStackNode->markAsSink();
RetsStackAddr.insert(RetStackNode);
}
continue;
}
}
Ted Kremenek
committed
DstRet.Add(*I);
}
}
else
Ted Kremenek
committed
Visit(R, Pred, DstRet);
for (NodeSet::iterator I=DstRet.begin(), E=DstRet.end(); I!=E; ++I)
EvalReturn(Dst, S, *I);
}
//===----------------------------------------------------------------------===//
// Transfer functions: Binary operators.
//===----------------------------------------------------------------------===//
void GRExprEngine::VisitBinaryOperator(BinaryOperator* B,
GRExprEngine::NodeTy* Pred,
GRExprEngine::NodeSet& Dst) {
Ted Kremenek
committed
NodeSet S1;
if (B->isAssignmentOp())
VisitLVal(B->getLHS(), Pred, S1);
else
Visit(B->getLHS(), Pred, S1);
Ted Kremenek
committed
for (NodeSet::iterator I1=S1.begin(), E1=S1.end(); I1 != E1; ++I1) {
Ted Kremenek
committed
NodeTy* N1 = *I1;
Ted Kremenek
committed
// When getting the value for the LHS, check if we are in an assignment.
// In such cases, we want to (initially) treat the LHS as an LVal,
// so we use GetLVal instead of GetRVal so that DeclRefExpr's are
// evaluated to LValDecl's instead of to an NonLVal.
RVal LeftV = B->isAssignmentOp() ? GetLVal(GetState(N1), B->getLHS())
: GetRVal(GetState(N1), B->getLHS());
// Visit the RHS...
NodeSet S2;
Ted Kremenek
committed
Visit(B->getRHS(), N1, S2);
// Process the binary operator.
Ted Kremenek
committed
for (NodeSet::iterator I2 = S2.begin(), E2 = S2.end(); I2 != E2; ++I2) {
Ted Kremenek
committed
NodeTy* N2 = *I2;
ValueState* St = GetState(N2);
Expr* RHS = B->getRHS();
RVal RightV = GetRVal(St, RHS);
Ted Kremenek
committed
BinaryOperator::Opcode Op = B->getOpcode();
if ((Op == BinaryOperator::Div || Op == BinaryOperator::Rem)
&& RHS->getType()->isIntegerType()) {
Ted Kremenek
committed
// Check if the denominator is undefined.
if (!RightV.isUnknown()) {
Ted Kremenek
committed
if (RightV.isUndef()) {
NodeTy* DivUndef = Builder->generateNode(B, St, N2);
Ted Kremenek
committed
if (DivUndef) {
DivUndef->markAsSink();
ExplicitBadDivides.insert(DivUndef);
}
continue;
}
// Check for divide/remainder-by-zero.
//
Ted Kremenek
committed
// First, "assume" that the denominator is 0 or undefined.
bool isFeasibleZero = false;
ValueState* ZeroSt = Assume(St, RightV, false, isFeasibleZero);
// Second, "assume" that the denominator cannot be 0.
bool isFeasibleNotZero = false;
St = Assume(St, RightV, true, isFeasibleNotZero);
// Create the node for the divide-by-zero (if it occurred).
if (isFeasibleZero)
Ted Kremenek
committed
if (NodeTy* DivZeroNode = Builder->generateNode(B, ZeroSt, N2)) {
DivZeroNode->markAsSink();
if (isFeasibleNotZero)
ImplicitBadDivides.insert(DivZeroNode);
else
ExplicitBadDivides.insert(DivZeroNode);
if (!isFeasibleNotZero)
continue;
}
// Fall-through. The logic below processes the divide.
}
Ted Kremenek
committed
if (Op <= BinaryOperator::Or) {
// Process non-assignements except commas or short-circuited
// logical expressions (LAnd and LOr).
RVal Result = EvalBinOp(Op, LeftV, RightV);
if (Result.isUnknown()) {
Dst.Add(N2);
Ted Kremenek
committed
if (Result.isUndef() && !LeftV.isUndef() && !RightV.isUndef()) {
// The operands were not undefined, but the result is undefined.
if (NodeTy* UndefNode = Builder->generateNode(B, St, N2)) {
UndefNode->markAsSink();
UndefResults.insert(UndefNode);
}
continue;
}
MakeNode(Dst, B, N2, SetRVal(St, B, Result));
continue;
}
// Process assignments.
switch (Op) {
Ted Kremenek
committed
case BinaryOperator::Assign: {
// Simple assignments.
Ted Kremenek
committed
if (LeftV.isUndef()) {
HandleUndefinedStore(B, N2);
continue;
}
Ted Kremenek
committed
// EXPERIMENTAL: "Conjured" symbols.
if (RightV.isUnknown()) {
unsigned Count = Builder->getCurrentBlockCount();
SymbolID Sym = SymMgr.getConjuredSymbol(B->getRHS(), Count);
RightV = B->getRHS()->getType()->isPointerType()
? cast<RVal>(lval::SymbolVal(Sym))
: cast<RVal>(nonlval::SymbolVal(Sym));
}
// Simulate the effects of a "store": bind the value of the RHS
// to the L-Value represented by the LHS.
Ted Kremenek
committed
EvalStore(Dst, B, N2, SetRVal(St, B, RightV),
Ted Kremenek
committed
LeftV, RightV);
Ted Kremenek
committed
continue;
Ted Kremenek
committed
}
// Compound assignment operators.
default: {
assert (B->isCompoundAssignmentOp());
if (Op >= BinaryOperator::AndAssign)
((int&) Op) -= (BinaryOperator::AndAssign - BinaryOperator::And);
else
((int&) Op) -= BinaryOperator::MulAssign;
Ted Kremenek
committed
// Check if the LHS is undefined.
Ted Kremenek
committed
if (LeftV.isUndef()) {
HandleUndefinedStore(B, N2);
continue;
}
if (LeftV.isUnknown()) {
assert (isa<UnknownVal>(GetRVal(St, B)));
Dst.Add(N2);
continue;
}
// At this pointer we know that the LHS evaluates to an LVal
// that is neither "Unknown" or "Undefined."
LVal LeftLV = cast<LVal>(LeftV);
// Fetch the value of the LHS (the value of the variable, etc.).
RVal V = GetRVal(GetState(N1), LeftLV, B->getLHS()->getType());
Ted Kremenek
committed
// Propagate undefined value (left-side). We
// propogate undefined values for the RHS below when
// we also check for divide-by-zero.
Ted Kremenek
committed
if (V.isUndef()) {
St = SetRVal(St, B, V);
break;
}
// Propagate unknown values.
if (V.isUnknown()) {
// The value bound to LeftV is unknown. Thus we just
// propagate the current node (as "B" is already bound to nothing).
assert (isa<UnknownVal>(GetRVal(St, B)));
Dst.Add(N2);
continue;
}
if (RightV.isUnknown()) {
assert (isa<UnknownVal>(GetRVal(St, B)));
St = SetRVal(St, LeftLV, UnknownVal());
break;
}
// At this point:
//
Ted Kremenek
committed
// The LHS is not Undef/Unknown.
// The RHS is not Unknown.
// Get the computation type.
QualType CTy = cast<CompoundAssignOperator>(B)->getComputationType();
// Perform promotions.
V = EvalCast(V, CTy);
// Evaluate operands and promote to result type.
if ((Op == BinaryOperator::Div || Op == BinaryOperator::Rem)
&& RHS->getType()->isIntegerType()) {
Ted Kremenek
committed
// Check if the denominator is undefined.
Ted Kremenek
committed
if (RightV.isUndef()) {
NodeTy* DivUndef = Builder->generateNode(B, St, N2);
Ted Kremenek
committed
if (DivUndef) {
DivUndef->markAsSink();
ExplicitBadDivides.insert(DivUndef);
}
continue;
}
// First, "assume" that the denominator is 0.
bool isFeasibleZero = false;
ValueState* ZeroSt = Assume(St, RightV, false, isFeasibleZero);
// Second, "assume" that the denominator cannot be 0.
bool isFeasibleNotZero = false;
St = Assume(St, RightV, true, isFeasibleNotZero);
// Create the node for the divide-by-zero error (if it occurred).
if (isFeasibleZero) {
NodeTy* DivZeroNode = Builder->generateNode(B, ZeroSt, N2);
if (DivZeroNode) {
DivZeroNode->markAsSink();
if (isFeasibleNotZero)
ImplicitBadDivides.insert(DivZeroNode);
else
ExplicitBadDivides.insert(DivZeroNode);
}
}
if (!isFeasibleNotZero)
continue;
// Fall-through. The logic below processes the divide.
}
else {
Ted Kremenek
committed
// Propagate undefined values (right-side).
Ted Kremenek
committed
if (RightV.isUndef()) {
St = SetRVal(SetRVal(St, B, RightV), LeftLV, RightV);
break;
}
}
RVal Result = EvalCast(EvalBinOp(Op, V, RightV), B->getType());
Ted Kremenek
committed
if (Result.isUndef()) {
// The operands were not undefined, but the result is undefined.
if (NodeTy* UndefNode = Builder->generateNode(B, St, N2)) {
UndefNode->markAsSink();
UndefResults.insert(UndefNode);
}
continue;
}
Ted Kremenek
committed
// St = SetRVal(SetRVal(St, B, Result), LeftLV, Result);
Ted Kremenek
committed
EvalStore(Dst, B, N2, SetRVal(St, B, Result), LeftLV, Result);
Ted Kremenek
committed
continue;
Ted Kremenek
committed
}
}
}
}
Ted Kremenek
committed
void GRExprEngine::HandleUndefinedStore(Stmt* S, NodeTy* Pred) {
NodeTy* N = Builder->generateNode(S, GetState(Pred), Pred);
N->markAsSink();
Ted Kremenek
committed
UndefStores.insert(N);
//===----------------------------------------------------------------------===//
// "Assume" logic.
//===----------------------------------------------------------------------===//
ValueState* GRExprEngine::Assume(ValueState* St, LVal Cond,
bool Assumption, bool& isFeasible) {
St = AssumeAux(St, Cond, Assumption, isFeasible);
return isFeasible ? TF->EvalAssume(*this, St, Cond, Assumption, isFeasible)
: St;
}
ValueState* GRExprEngine::AssumeAux(ValueState* St, LVal Cond,
bool Assumption, bool& isFeasible) {
switch (Cond.getSubKind()) {