Newer
Older
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
Pred, Dst);
}
void GRExprEngine::VisitObjCMessageExprArgHelper(ObjCMessageExpr* ME,
ObjCMessageExpr::arg_iterator AI,
ObjCMessageExpr::arg_iterator AE,
NodeTy* Pred, NodeSet& Dst) {
if (AI == AE) {
// Process the receiver.
if (Expr* Receiver = ME->getReceiver()) {
NodeSet Tmp;
Visit(Receiver, Pred, Tmp);
for (NodeSet::iterator NI = Tmp.begin(), NE = Tmp.end(); NI != NE; ++NI)
VisitObjCMessageExprDispatchHelper(ME, *NI, Dst);
return;
}
VisitObjCMessageExprDispatchHelper(ME, Pred, Dst);
return;
}
NodeSet Tmp;
Visit(*AI, Pred, Tmp);
++AI;
for (NodeSet::iterator NI = Tmp.begin(), NE = Tmp.end(); NI != NE; ++NI)
VisitObjCMessageExprArgHelper(ME, AI, AE, *NI, Dst);
}
void GRExprEngine::VisitObjCMessageExprDispatchHelper(ObjCMessageExpr* ME,
NodeTy* Pred,
NodeSet& Dst) {
// FIXME: More logic for the processing the method call.
ValueState* St = GetState(Pred);
if (Expr* Receiver = ME->getReceiver()) {
RVal L = GetRVal(St, Receiver);
// Check for undefined control-flow or calls to NULL.
if (L.isUndef()) {
NodeTy* N = Builder->generateNode(ME, St, Pred);
if (N) {
N->markAsSink();
UndefReceivers.insert(N);
}
return;
}
}
// Check for any arguments that are uninitialized/undefined.
for (ObjCMessageExpr::arg_iterator I = ME->arg_begin(), E = ME->arg_end();
I != E; ++I) {
if (GetRVal(St, *I).isUndef()) {
// Generate an error node for passing an uninitialized/undefined value
// as an argument to a message expression. This node is a sink.
NodeTy* N = Builder->generateNode(ME, St, Pred);
if (N) {
N->markAsSink();
MsgExprUndefArgs[N] = *I;
}
return;
}
}
// Dispatch to plug-in transfer function.
unsigned size = Dst.size();
SaveAndRestore<bool> OldSink(Builder->BuildSinks),
OldHasGen(Builder->HasGeneratedNode);
Builder->HasGeneratedNode = false;
EvalObjCMessageExpr(Dst, ME, Pred);
// Handle the case where no nodes where generated. Auto-generate that
// contains the updated state if we aren't generating sinks.
if (!Builder->BuildSinks && Dst.size() == size && !Builder->HasGeneratedNode)
MakeNode(Dst, ME, Pred, St);
//===----------------------------------------------------------------------===//
// Transfer functions: Miscellaneous statements.
//===----------------------------------------------------------------------===//
void GRExprEngine::VisitCast(Expr* CastE, Expr* Ex, NodeTy* Pred, NodeSet& Dst){
NodeSet S1;
QualType T = CastE->getType();
if (T->isReferenceType())
VisitLVal(Ex, Pred, S1);
else
Visit(Ex, Pred, S1);
Ted Kremenek
committed
// Check for casting to "void".
if (T->isVoidType()) {
for (NodeSet::iterator I1 = S1.begin(), E1 = S1.end(); I1 != E1; ++I1)
Dst.Add(*I1);
return;
}
Ted Kremenek
committed
// FIXME: The rest of this should probably just go into EvalCall, and
// let the transfer function object be responsible for constructing
// nodes.
QualType ExTy = Ex->getType();
for (NodeSet::iterator I1 = S1.begin(), E1 = S1.end(); I1 != E1; ++I1) {
NodeTy* N = *I1;
ValueState* St = GetState(N);
RVal V = T->isReferenceType() ? GetLVal(St, Ex) : GetRVal(St, Ex);
Ted Kremenek
committed
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
// Unknown?
if (V.isUnknown()) {
Dst.Add(N);
continue;
}
// Undefined?
if (V.isUndef()) {
MakeNode(Dst, CastE, N, SetRVal(St, CastE, V));
continue;
}
// Check for casts from pointers to integers.
if (T->isIntegerType() && ExTy->isPointerType()) {
unsigned bits = getContext().getTypeSize(ExTy);
// FIXME: Determine if the number of bits of the target type is
// equal or exceeds the number of bits to store the pointer value.
// If not, flag an error.
V = nonlval::LValAsInteger::Make(BasicVals, cast<LVal>(V), bits);
MakeNode(Dst, CastE, N, SetRVal(St, CastE, V));
continue;
}
// Check for casts from integers to pointers.
if (T->isPointerType() && ExTy->isIntegerType())
if (nonlval::LValAsInteger *LV = dyn_cast<nonlval::LValAsInteger>(&V)) {
// Just unpackage the lval and return it.
V = LV->getLVal();
MakeNode(Dst, CastE, N, SetRVal(St, CastE, V));
continue;
}
// All other cases.
MakeNode(Dst, CastE, N, SetRVal(St, CastE, EvalCast(V, CastE->getType())));
void GRExprEngine::VisitDeclStmt(DeclStmt* DS, NodeTy* Pred, NodeSet& Dst) {
VisitDeclStmtAux(DS, DS->getDecl(), Pred, Dst);
}
void GRExprEngine::VisitDeclStmtAux(DeclStmt* DS, ScopedDecl* D,
NodeTy* Pred, NodeSet& Dst) {
if (!D)
return;
if (!isa<VarDecl>(D)) {
VisitDeclStmtAux(DS, D->getNextDeclarator(), Pred, Dst);
return;
}
const VarDecl* VD = dyn_cast<VarDecl>(D);
// FIXME: Add support for local arrays.
if (VD->getType()->isArrayType()) {
VisitDeclStmtAux(DS, D->getNextDeclarator(), Pred, Dst);
return;
}
Expr* Ex = const_cast<Expr*>(VD->getInit());
// FIXME: static variables may have an initializer, but the second
// time a function is called those values may not be current.
NodeSet Tmp;
if (Ex) Visit(Ex, Pred, Tmp);
if (Tmp.empty()) Tmp.Add(Pred);
for (NodeSet::iterator I=Tmp.begin(), E=Tmp.end(); I!=E; ++I) {
ValueState* St = GetState(*I);
if (!Ex && VD->hasGlobalStorage()) {
// Handle variables with global storage and no initializers.
// FIXME: static variables may have an initializer, but the second
// time a function is called those values may not be current.
// In this context, Static => Local variable.
assert (!VD->getStorageClass() == VarDecl::Static ||
!VD->isFileVarDecl());
// If there is no initializer, set the value of the
// variable to "Undefined".
if (VD->getStorageClass() == VarDecl::Static) {
// C99: 6.7.8 Initialization
// If an object that has static storage duration is not initialized
// explicitly, then:
// —if it has pointer type, it is initialized to a null pointer;
// —if it has arithmetic type, it is initialized to (positive or
// unsigned) zero;
Ted Kremenek
committed
// FIXME: Handle structs. Now we treat their values as unknown.
QualType T = VD->getType();
Ted Kremenek
committed
if (T->isPointerType())
St = SetRVal(St, lval::DeclVal(VD),
lval::ConcreteInt(BasicVals.getValue(0, T)));
else if (T->isIntegerType())
St = SetRVal(St, lval::DeclVal(VD),
nonlval::ConcreteInt(BasicVals.getValue(0, T)));
// FIXME: Handle structs. Now we treat them as unknown. What
// we need to do is treat their members as unknown.
Ted Kremenek
committed
}
else {
// FIXME: Handle structs. Now we treat them as unknown. What
// we need to do is treat their members as unknown.
QualType T = VD->getType();
if (T->isPointerType() || T->isIntegerType())
St = SetRVal(St, lval::DeclVal(VD),
Ex ? GetRVal(St, Ex) : UndefinedVal());
}
// Create a new node. We don't really need to create a new NodeSet
// here, but it simplifies things and doesn't cost much.
NodeSet Tmp2;
MakeNode(Tmp2, DS, *I, St);
if (Tmp2.empty()) Tmp2.Add(*I);
for (NodeSet::iterator I2=Tmp2.begin(), E2=Tmp2.end(); I2!=E2; ++I2)
VisitDeclStmtAux(DS, D->getNextDeclarator(), *I2, Dst);
}
}
/// VisitSizeOfAlignOfTypeExpr - Transfer function for sizeof(type).
void GRExprEngine::VisitSizeOfAlignOfTypeExpr(SizeOfAlignOfTypeExpr* Ex,
NodeTy* Pred,
NodeSet& Dst) {
QualType T = Ex->getArgumentType();
uint64_t amt;
if (Ex->isSizeOf()) {
// FIXME: Add support for VLAs.
if (!T.getTypePtr()->isConstantSizeType())
return;
amt = 1; // Handle sizeof(void)
if (T != getContext().VoidTy)
amt = getContext().getTypeSize(T) / 8;
}
else // Get alignment of the type.
amt = getContext().getTypeAlign(T) / 8;
SetRVal(GetState(Pred), Ex,
NonLVal::MakeVal(BasicVals, amt, Ex->getType())));
}
void GRExprEngine::VisitDeref(UnaryOperator* U, NodeTy* Pred,
NodeSet& Dst, bool GetLVal) {
Ted Kremenek
committed
Expr* Ex = U->getSubExpr()->IgnoreParens();
Ted Kremenek
committed
NodeSet DstTmp;
DstTmp.Add(Pred);
Visit(Ex, Pred, DstTmp);
for (NodeSet::iterator I = DstTmp.begin(), DE = DstTmp.end(); I != DE; ++I) {
Ted Kremenek
committed
ValueState* St = GetState(Pred);
RVal V = GetRVal(St, Ex);
Ted Kremenek
committed
VisitDeref(U, V, St, Pred, Dst, GetLVal);
}
}
void GRExprEngine::VisitDeref(Expr* Ex, RVal V, ValueState* St, NodeTy* Pred,
NodeSet& Dst, bool GetLVal) {
// Check for dereferences of undefined values.
if (V.isUndef()) {
if (NodeTy* Succ = Builder->generateNode(Ex, St, Pred)) {
Succ->markAsSink();
UndefDeref.insert(Succ);
}
Ted Kremenek
committed
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
return;
}
// Check for dereferences of unknown values. Treat as No-Ops.
if (V.isUnknown()) {
Dst.Add(Pred);
return;
}
// After a dereference, one of two possible situations arise:
// (1) A crash, because the pointer was NULL.
// (2) The pointer is not NULL, and the dereference works.
//
// We add these assumptions.
LVal LV = cast<LVal>(V);
bool isFeasibleNotNull;
// "Assume" that the pointer is Not-NULL.
ValueState* StNotNull = Assume(St, LV, true, isFeasibleNotNull);
if (isFeasibleNotNull) {
Ted Kremenek
committed
if (GetLVal)
MakeNode(Dst, Ex, Pred, SetRVal(StNotNull, Ex, LV));
else {
Ted Kremenek
committed
// FIXME: Currently symbolic analysis "generates" new symbols
// for the contents of values. We need a better approach.
MakeNode(Dst, Ex, Pred,
SetRVal(StNotNull, Ex, GetRVal(StNotNull, LV, Ex->getType())));
}
Ted Kremenek
committed
}
bool isFeasibleNull;
// Now "assume" that the pointer is NULL.
ValueState* StNull = Assume(St, LV, false, isFeasibleNull);
if (isFeasibleNull) {
Ted Kremenek
committed
// We don't use "MakeNode" here because the node will be a sink
// and we have no intention of processing it later.
Ted Kremenek
committed
NodeTy* NullNode = Builder->generateNode(Ex, StNull, Pred);
Ted Kremenek
committed
if (NullNode) {
Ted Kremenek
committed
NullNode->markAsSink();
Ted Kremenek
committed
if (isFeasibleNotNull) ImplicitNullDeref.insert(NullNode);
else ExplicitNullDeref.insert(NullNode);
}
}
}
void GRExprEngine::VisitUnaryOperator(UnaryOperator* U, NodeTy* Pred,
NodeSet& Dst) {
NodeSet S1;
assert (U->getOpcode() != UnaryOperator::Deref);
assert (U->getOpcode() != UnaryOperator::SizeOf);
assert (U->getOpcode() != UnaryOperator::AlignOf);
bool use_GetLVal = false;
switch (U->getOpcode()) {
case UnaryOperator::PostInc:
case UnaryOperator::PostDec:
case UnaryOperator::PreInc:
case UnaryOperator::PreDec:
case UnaryOperator::AddrOf:
// Evalue subexpression as an LVal.
use_GetLVal = true;
VisitLVal(U->getSubExpr(), Pred, S1);
break;
default:
Visit(U->getSubExpr(), Pred, S1);
break;
}
for (NodeSet::iterator I1 = S1.begin(), E1 = S1.end(); I1 != E1; ++I1) {
NodeTy* N1 = *I1;
ValueState* St = GetState(N1);
RVal SubV = use_GetLVal ? GetLVal(St, U->getSubExpr()) :
GetRVal(St, U->getSubExpr());
if (SubV.isUnknown()) {
Dst.Add(N1);
continue;
}
Ted Kremenek
committed
if (SubV.isUndef()) {
MakeNode(Dst, U, N1, SetRVal(St, U, SubV));
continue;
}
if (U->isIncrementDecrementOp()) {
// Handle ++ and -- (both pre- and post-increment).
LVal SubLV = cast<LVal>(SubV);
RVal V = GetRVal(St, SubLV, U->getType());
if (V.isUnknown()) {
Dst.Add(N1);
continue;
}
Ted Kremenek
committed
// Propagate undefined values.
if (V.isUndef()) {
continue;
}
// Handle all other values.
BinaryOperator::Opcode Op = U->isIncrementOp() ? BinaryOperator::Add
: BinaryOperator::Sub;
RVal Result = EvalBinOp(Op, V, MakeConstantVal(1U, U));
if (U->isPostfix())
St = SetRVal(SetRVal(St, U, V), SubLV, Result);
St = SetRVal(SetRVal(St, U, Result), SubLV, Result);
continue;
}
// Handle all other unary operators.
switch (U->getOpcode()) {
case UnaryOperator::Extension:
St = SetRVal(St, U, SubV);
break;
case UnaryOperator::Minus:
St = SetRVal(St, U, EvalMinus(U, cast<NonLVal>(SubV)));
case UnaryOperator::Not:
St = SetRVal(St, U, EvalComplement(cast<NonLVal>(SubV)));
case UnaryOperator::LNot:
// C99 6.5.3.3: "The expression !E is equivalent to (0==E)."
//
// Note: technically we do "E == 0", but this is the same in the
// transfer functions as "0 == E".
if (isa<LVal>(SubV)) {
lval::ConcreteInt V(BasicVals.getZeroWithPtrWidth());
RVal Result = EvalBinOp(BinaryOperator::EQ, cast<LVal>(SubV), V);
St = SetRVal(St, U, Result);
}
else {
Ted Kremenek
committed
Expr* Ex = U->getSubExpr();
nonlval::ConcreteInt V(BasicVals.getValue(0, Ex->getType()));
RVal Result = EvalBinOp(BinaryOperator::EQ, cast<NonLVal>(SubV), V);
St = SetRVal(St, U, Result);
}
break;
case UnaryOperator::AddrOf: {
assert (isa<LVal>(SubV));
St = SetRVal(St, U, SubV);
break;
}
default: ;
assert (false && "Not implemented.");
}
}
}
void GRExprEngine::VisitSizeOfExpr(UnaryOperator* U, NodeTy* Pred,
NodeSet& Dst) {
QualType T = U->getSubExpr()->getType();
// FIXME: Add support for VLAs.
if (!T.getTypePtr()->isConstantSizeType())
return;
uint64_t size = getContext().getTypeSize(T) / 8;
ValueState* St = GetState(Pred);
St = SetRVal(St, U, NonLVal::MakeVal(BasicVals, size, U->getType()));
}
void GRExprEngine::VisitLVal(Expr* Ex, NodeTy* Pred, NodeSet& Dst) {
Ted Kremenek
committed
Ex = Ex->IgnoreParens();
Ted Kremenek
committed
if (Ex != CurrentStmt && getCFG().isBlkExpr(Ex)) {
Dst.Add(Pred);
Ted Kremenek
committed
switch (Ex->getStmtClass()) {
default:
break;
case Stmt::ArraySubscriptExprClass:
VisitArraySubscriptExpr(cast<ArraySubscriptExpr>(Ex), Pred, Dst, true);
return;
Ted Kremenek
committed
case Stmt::DeclRefExprClass:
Dst.Add(Pred);
Ted Kremenek
committed
case Stmt::UnaryOperatorClass: {
UnaryOperator* U = cast<UnaryOperator>(Ex);
if (U->getOpcode() == UnaryOperator::Deref) {
VisitDeref(U, Pred, Dst, true);
return;
}
break;
Ted Kremenek
committed
case Stmt::MemberExprClass:
VisitMemberExpr(cast<MemberExpr>(Ex), Pred, Dst, true);
return;
}
Visit(Ex, Pred, Dst);
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
void GRExprEngine::VisitAsmStmt(AsmStmt* A, NodeTy* Pred, NodeSet& Dst) {
VisitAsmStmtHelperOutputs(A, A->begin_outputs(), A->end_outputs(), Pred, Dst);
}
void GRExprEngine::VisitAsmStmtHelperOutputs(AsmStmt* A,
AsmStmt::outputs_iterator I,
AsmStmt::outputs_iterator E,
NodeTy* Pred, NodeSet& Dst) {
if (I == E) {
VisitAsmStmtHelperInputs(A, A->begin_inputs(), A->end_inputs(), Pred, Dst);
return;
}
NodeSet Tmp;
VisitLVal(*I, Pred, Tmp);
++I;
for (NodeSet::iterator NI = Tmp.begin(), NE = Tmp.end(); NI != NE; ++NI)
VisitAsmStmtHelperOutputs(A, I, E, *NI, Dst);
}
void GRExprEngine::VisitAsmStmtHelperInputs(AsmStmt* A,
AsmStmt::inputs_iterator I,
AsmStmt::inputs_iterator E,
NodeTy* Pred, NodeSet& Dst) {
if (I == E) {
// We have processed both the inputs and the outputs. All of the outputs
// should evaluate to LVals. Nuke all of their values.
// FIXME: Some day in the future it would be nice to allow a "plug-in"
// which interprets the inline asm and stores proper results in the
// outputs.
ValueState* St = GetState(Pred);
for (AsmStmt::outputs_iterator OI = A->begin_outputs(),
OE = A->end_outputs(); OI != OE; ++OI) {
RVal X = GetLVal(St, *OI);
assert (!isa<NonLVal>(X));
if (isa<LVal>(X))
St = SetRVal(St, cast<LVal>(X), UnknownVal());
}
return;
}
NodeSet Tmp;
Visit(*I, Pred, Tmp);
++I;
for (NodeSet::iterator NI = Tmp.begin(), NE = Tmp.end(); NI != NE; ++NI)
VisitAsmStmtHelperInputs(A, I, E, *NI, Dst);
}
Ted Kremenek
committed
void GRExprEngine::EvalReturn(NodeSet& Dst, ReturnStmt* S, NodeTy* Pred) {
assert (Builder && "GRStmtNodeBuilder must be defined.");
unsigned size = Dst.size();
SaveAndRestore<bool> OldSink(Builder->BuildSinks),
OldHasGen(Builder->HasGeneratedNode);
Ted Kremenek
committed
Builder->HasGeneratedNode = false;
Ted Kremenek
committed
TF->EvalReturn(Dst, *this, *Builder, S, Pred);
// Handle the case where no nodes where generated.
Ted Kremenek
committed
if (!Builder->BuildSinks && Dst.size() == size && !Builder->HasGeneratedNode)
Ted Kremenek
committed
MakeNode(Dst, S, Pred, GetState(Pred));
}
void GRExprEngine::VisitReturnStmt(ReturnStmt* S, NodeTy* Pred, NodeSet& Dst) {
Expr* R = S->getRetValue();
if (!R) {
Ted Kremenek
committed
EvalReturn(Dst, S, Pred);
return;
}
Ted Kremenek
committed
NodeSet DstRet;
QualType T = R->getType();
if (T->isPointerLikeType()) {
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
// Check if any of the return values return the address of a stack variable.
NodeSet Tmp;
Visit(R, Pred, Tmp);
for (NodeSet::iterator I=Tmp.begin(), E=Tmp.end(); I!=E; ++I) {
RVal X = GetRVal((*I)->getState(), R);
if (isa<lval::DeclVal>(X)) {
if (cast<lval::DeclVal>(X).getDecl()->hasLocalStorage()) {
// Create a special node representing the v
NodeTy* RetStackNode = Builder->generateNode(S, GetState(*I), *I);
if (RetStackNode) {
RetStackNode->markAsSink();
RetsStackAddr.insert(RetStackNode);
}
continue;
}
}
Ted Kremenek
committed
DstRet.Add(*I);
}
}
else
Ted Kremenek
committed
Visit(R, Pred, DstRet);
for (NodeSet::iterator I=DstRet.begin(), E=DstRet.end(); I!=E; ++I)
EvalReturn(Dst, S, *I);
}
//===----------------------------------------------------------------------===//
// Transfer functions: Binary operators.
//===----------------------------------------------------------------------===//
void GRExprEngine::VisitBinaryOperator(BinaryOperator* B,
GRExprEngine::NodeTy* Pred,
GRExprEngine::NodeSet& Dst) {
Ted Kremenek
committed
NodeSet S1;
if (B->isAssignmentOp())
VisitLVal(B->getLHS(), Pred, S1);
else
Visit(B->getLHS(), Pred, S1);
Ted Kremenek
committed
for (NodeSet::iterator I1=S1.begin(), E1=S1.end(); I1 != E1; ++I1) {
Ted Kremenek
committed
NodeTy* N1 = *I1;
Ted Kremenek
committed
// When getting the value for the LHS, check if we are in an assignment.
// In such cases, we want to (initially) treat the LHS as an LVal,
// so we use GetLVal instead of GetRVal so that DeclRefExpr's are
// evaluated to LValDecl's instead of to an NonLVal.
RVal LeftV = B->isAssignmentOp() ? GetLVal(GetState(N1), B->getLHS())
: GetRVal(GetState(N1), B->getLHS());
// Visit the RHS...
NodeSet S2;
Ted Kremenek
committed
Visit(B->getRHS(), N1, S2);
// Process the binary operator.
Ted Kremenek
committed
for (NodeSet::iterator I2 = S2.begin(), E2 = S2.end(); I2 != E2; ++I2) {
Ted Kremenek
committed
NodeTy* N2 = *I2;
ValueState* St = GetState(N2);
Expr* RHS = B->getRHS();
RVal RightV = GetRVal(St, RHS);
Ted Kremenek
committed
BinaryOperator::Opcode Op = B->getOpcode();
if ((Op == BinaryOperator::Div || Op == BinaryOperator::Rem)
&& RHS->getType()->isIntegerType()) {
Ted Kremenek
committed
// Check if the denominator is undefined.
if (!RightV.isUnknown()) {
Ted Kremenek
committed
if (RightV.isUndef()) {
NodeTy* DivUndef = Builder->generateNode(B, St, N2);
Ted Kremenek
committed
if (DivUndef) {
DivUndef->markAsSink();
ExplicitBadDivides.insert(DivUndef);
}
continue;
}
// Check for divide/remainder-by-zero.
//
Ted Kremenek
committed
// First, "assume" that the denominator is 0 or undefined.
bool isFeasibleZero = false;
ValueState* ZeroSt = Assume(St, RightV, false, isFeasibleZero);
// Second, "assume" that the denominator cannot be 0.
bool isFeasibleNotZero = false;
St = Assume(St, RightV, true, isFeasibleNotZero);
// Create the node for the divide-by-zero (if it occurred).
if (isFeasibleZero)
Ted Kremenek
committed
if (NodeTy* DivZeroNode = Builder->generateNode(B, ZeroSt, N2)) {
DivZeroNode->markAsSink();
if (isFeasibleNotZero)
ImplicitBadDivides.insert(DivZeroNode);
else
ExplicitBadDivides.insert(DivZeroNode);
if (!isFeasibleNotZero)
continue;
}
// Fall-through. The logic below processes the divide.
}
Ted Kremenek
committed
if (Op <= BinaryOperator::Or) {
// Process non-assignements except commas or short-circuited
// logical expressions (LAnd and LOr).
RVal Result = EvalBinOp(Op, LeftV, RightV);
if (Result.isUnknown()) {
Dst.Add(N2);
Ted Kremenek
committed
if (Result.isUndef() && !LeftV.isUndef() && !RightV.isUndef()) {
// The operands were not undefined, but the result is undefined.
if (NodeTy* UndefNode = Builder->generateNode(B, St, N2)) {
UndefNode->markAsSink();
UndefResults.insert(UndefNode);
}
continue;
}
MakeNode(Dst, B, N2, SetRVal(St, B, Result));
continue;
}
// Process assignments.
switch (Op) {
Ted Kremenek
committed
case BinaryOperator::Assign: {
// Simple assignments.
Ted Kremenek
committed
if (LeftV.isUndef()) {
HandleUndefinedStore(B, N2);
continue;
}
Ted Kremenek
committed
// EXPERIMENTAL: "Conjured" symbols.
if (RightV.isUnknown()) {
unsigned Count = Builder->getCurrentBlockCount();
SymbolID Sym = SymMgr.getConjuredSymbol(B->getRHS(), Count);
RightV = B->getRHS()->getType()->isPointerType()
? cast<RVal>(lval::SymbolVal(Sym))
: cast<RVal>(nonlval::SymbolVal(Sym));
}
// Simulate the effects of a "store": bind the value of the RHS
// to the L-Value represented by the LHS.
Ted Kremenek
committed
EvalStore(Dst, B, N2, SetRVal(St, B, RightV),
Ted Kremenek
committed
LeftV, RightV);
Ted Kremenek
committed
continue;
Ted Kremenek
committed
}
// Compound assignment operators.
default: {
assert (B->isCompoundAssignmentOp());
if (Op >= BinaryOperator::AndAssign)
((int&) Op) -= (BinaryOperator::AndAssign - BinaryOperator::And);
else
((int&) Op) -= BinaryOperator::MulAssign;
Ted Kremenek
committed
// Check if the LHS is undefined.
Ted Kremenek
committed
if (LeftV.isUndef()) {
HandleUndefinedStore(B, N2);
continue;
}
if (LeftV.isUnknown()) {
assert (isa<UnknownVal>(GetRVal(St, B)));
Dst.Add(N2);
continue;
}
// At this pointer we know that the LHS evaluates to an LVal
// that is neither "Unknown" or "Undefined."
LVal LeftLV = cast<LVal>(LeftV);
// Fetch the value of the LHS (the value of the variable, etc.).
RVal V = GetRVal(GetState(N1), LeftLV, B->getLHS()->getType());
Ted Kremenek
committed
// Propagate undefined value (left-side). We
// propogate undefined values for the RHS below when
// we also check for divide-by-zero.
Ted Kremenek
committed
if (V.isUndef()) {
St = SetRVal(St, B, V);
break;
}
// Propagate unknown values.
if (V.isUnknown()) {
// The value bound to LeftV is unknown. Thus we just
// propagate the current node (as "B" is already bound to nothing).
assert (isa<UnknownVal>(GetRVal(St, B)));
Dst.Add(N2);
continue;
}
if (RightV.isUnknown()) {
assert (isa<UnknownVal>(GetRVal(St, B)));
St = SetRVal(St, LeftLV, UnknownVal());
break;
}
// At this point:
//
Ted Kremenek
committed
// The LHS is not Undef/Unknown.
// The RHS is not Unknown.
// Get the computation type.
QualType CTy = cast<CompoundAssignOperator>(B)->getComputationType();
// Perform promotions.
V = EvalCast(V, CTy);
// Evaluate operands and promote to result type.
if ((Op == BinaryOperator::Div || Op == BinaryOperator::Rem)
&& RHS->getType()->isIntegerType()) {
Ted Kremenek
committed
// Check if the denominator is undefined.
Ted Kremenek
committed
if (RightV.isUndef()) {
NodeTy* DivUndef = Builder->generateNode(B, St, N2);
Ted Kremenek
committed
if (DivUndef) {
DivUndef->markAsSink();
ExplicitBadDivides.insert(DivUndef);
}
continue;
}
// First, "assume" that the denominator is 0.
bool isFeasibleZero = false;
ValueState* ZeroSt = Assume(St, RightV, false, isFeasibleZero);
// Second, "assume" that the denominator cannot be 0.
bool isFeasibleNotZero = false;
St = Assume(St, RightV, true, isFeasibleNotZero);
// Create the node for the divide-by-zero error (if it occurred).
if (isFeasibleZero) {
NodeTy* DivZeroNode = Builder->generateNode(B, ZeroSt, N2);
if (DivZeroNode) {
DivZeroNode->markAsSink();
if (isFeasibleNotZero)
ImplicitBadDivides.insert(DivZeroNode);
else
ExplicitBadDivides.insert(DivZeroNode);
}
}
if (!isFeasibleNotZero)
continue;
// Fall-through. The logic below processes the divide.
}
else {
Ted Kremenek
committed
// Propagate undefined values (right-side).
Ted Kremenek
committed
if (RightV.isUndef()) {
St = SetRVal(SetRVal(St, B, RightV), LeftLV, RightV);
break;
}
}
RVal Result = EvalCast(EvalBinOp(Op, V, RightV), B->getType());
Ted Kremenek
committed
if (Result.isUndef()) {
// The operands were not undefined, but the result is undefined.
if (NodeTy* UndefNode = Builder->generateNode(B, St, N2)) {
UndefNode->markAsSink();
UndefResults.insert(UndefNode);
}
continue;