Fix bug in BasicStore::getLValueElement where if the base of an array subscript expression was an ElementRegion we stacked another ElementRegion on top of that.

This fixes PR 3422.

llvm-svn: 63110

their associated APIs.  We no longer need separate SymbolData objects
for fields, variables, etc.  Instead, we now associated symbols with
the "rvalue" of a MemRegion (i.e., the value stored at that region).
Now we only have two kinds of SymbolData objects: SymbolRegionRValue
and SymbolConjured.

This cleanup also makes the distinction between a SymbolicRegion and a
symbolic value that is a location much clearer.  A SymbolicRegion
represents a chunk of symbolic memory, while a symbolic location is
just a "pointer" with different possible values.  Without any specific
knowledge, a symbolic location resolves (i.e., via a dereference) to a
SymbolicRegion.  In the future, when we do better alias reasoning, a
symbolic location can become an alias for another location, thus
merging the constraints on the referred SymbolicRegion with the other
region.

llvm-svn: 62769

Static Analyzer: Replace LiveSymbols/DeadSymbols sets with a new object called "SymbolReaper".  Right now it just consolidates the two and cleans up some client code, but shortly it will be used to enable "lazy computation" of live symbols for use with RegionStore.

llvm-svn: 62722

llvm-svn: 61894

llvm-svn: 61888

llvm-svn: 61304

llvm-svn: 61300

llvm-svn: 61299

* Now Bind() methods take and return GRState* because binding could
  also alter GDM.
* No variables are initialized except those declared with initial
  values.
* failed C test cases are due to bugs in RemoveDeadBindings(),
which removes constraints that is still alive. This will be fixed in later
patch.
* default value of array and struct regions will be implemented in later patch.

llvm-svn: 61274

- Overhauled the notion of "types" for TypedRegions.  We now distinguish between the "lvalue" of a region (via getLValueRegion()) and the "rvalue" of a region (va getRValueRegion()).  Since a region represents a chunk of memory it has both, but we were conflating these concepts in some cases, leading to some insidious bugs.
- Removed AnonPointeeType, partially because it is unused and because it doesn't have a clear notion of lvalue vs rvalue type.  We can add it back once there is a need for it and we can resolve its role with these concepts.

StoreManager:
- Overhauled StoreManager::CastRegion.  It expects an *lvalue* type for a region.  This is actually what motivated the overhaul to the MemRegion type mechanism.  It also no longer returns an SVal; we can just return a MemRegion*.
- BasicStoreManager::CastRegion now overlays an "AnonTypedRegion" for pointer-pointer casts.  This matches with the MemRegion changes.
- Similar changes to RegionStore, except I've added a bunch of FIXMEs where it wasn't 100% clear where we should use TypedRegion::getRValueRegion() or TypedRegion::getLValueRegion().

AuditCFNumberCreate check:
- Now blasts through AnonTypedRegions that may layer the original memory region, thus checking if the actually memory block is of the appropriate type.  This change was needed to work with the changes to StoreManager::CastRegion.

GRExprEngine::VisitCast:
- Conform to the new interface of StoreManager::CastRegion.

Tests:
- None of the analysis tests fail now for using the "basic store".
- Disabled the tests 'array-struct.c' and 'rdar-6442306-1.m' pending further testing and bug fixing.

llvm-svn: 60995

GRExprEngine (VisitCast):
- When using StoreManager::CastRegion, always use the state and value it returns to generate the next node.  Failure to do so means that region values returned that don't require the state to be modified will get ignored.

MemRegion:
- Tighten the interface for ElementRegion.  Now ElementRegion can only be created with a super region that is a 'TypedRegion' instead of any MemRegion.  Code in BasicStoreManager/RegionStoreManager already assumed this, but it would result in a dynamic assertion check (and crash) rather than just having the compiler forbid the construction of such regions.
- Added ElementRegion::getArrayRegion() to return the 'typed version' of an ElementRegion's super region.
- Removed bogus assertion in ElementRegion::getType() that assumed that the super region was an AnonTypedRegion.  All that matters is that it is a TypedRegion, which is now true all the time by design.

BasicStore:
- Modified getLValueElement() to check if the 'array' region is a TypedRegion before creating an ElementRegion.  This conforms to the updated interface for ElementRegion.

RegionStore:
- In ArrayToPointer() gracefully handle things we don't reason about, and only create an ElementRegion if the array region is indeed a TypedRegion.

llvm-svn: 60990

Fix to BasicStoreManager::getElementLValue: If the base region is a symbol, layer an AnonTypedRegion on top of it.

llvm-svn: 60808

Have BasicStoreManager::getLValueElement() have logic similar to BasicStoreManager::getLValueField() (i.e., don't just return the 'base' as the SVal)

llvm-svn: 60795

StoreManager::Retrieve and StoreManager::RemoveDeadBindings now take a GRState* argument instead of a Store.  This allows them to use the GDM for storing other data.

llvm-svn: 60570

llvm-svn: 60520

llvm-svn: 60205

NamedDecl::getNameAsString() to make it more explicit.

llvm-svn: 59937

environment.

llvm-svn: 59407

 - RegionView and RegionViewMap is introduced to assist back-mapping from
   super region to subregions.
 - GDM is used to carry RegionView information.
 - AnonTypedRegion is added to represent a typed region introduced by pointer
   casting. Later AnonTypedRegion can be used in other similar cases, e.g.,
   malloc()'ed region.
 - The specific conversion is delegated to store manager.

llvm-svn: 59382

llvm-svn: 59359

StoreManager::BindDecl now takes an SVal* for the initialization value instead of an Expr* (which can be null).  Lazy symbolication of conjured symbols is now the sole responsibility of GRExprEngine.

llvm-svn: 59151

available, things get much simplified.

One addition is that CompoundLiteralExpr can appear both in rvalue and lvalue
context.

llvm-svn: 58837

BindDecl better describes what the function does:
  - Bind the VarDecl to its memory region
  - Bind the memory region to some initial value.

llvm-svn: 58359

- GRExprEngine::VisitCompoundLiteral...
   (1) visits the initializer list (generating ExplodedNodes)
   (2) creates a CompoundMemRegion for the literal
   (3) creates a new state with the bound literal values using
       GRStateManager::BindCompoundLiteral

- GRStateManager::BindCompoundLiteral simply calls 
  StoreManager::BindCompoundLiteral to get a new store and returns a persistent
  GRState with that store.

- BasicStore::BindCompoundLiteral simply returns the same store, as it
  doesn't handle field sensitivity
  
- RegionStore::BindCompoundLiteral currently fires an assert (pending discussion
  of how to best implement mappings for CompoundLiteralRegion).

llvm-svn: 58277

llvm-svn: 58182

for StringLiteral lvalue evaluation, instead of directly returning a
loc::StringLiteralVal by the Environment.

llvm-svn: 58138

Added method "getSelfRegion" to Store.  This method returns the region associated with the "this" or "self" object (C++ and Objective-C respectively).

llvm-svn: 58107

llvm-svn: 58028

llvm-svn: 57964

llvm-svn: 57909

GRExprEngine::VisitCast() so that other parts of the analyzer can be ignorant.
When we cast "array of type T" to "pointer to T", we get the loc::MemRegionVal
corresponding to the array variable. This is sufficient for BasicStore, but not
for RegionStore. RegionStore should get the element region for the first array
element in the cast. So next comes to the revamping of transfer functions for
different store model.

llvm-svn: 57897

llvm-svn: 57896

Hack: have BasicStore::getLValueElement return the "Base" lvalue.  This restores null dereference checking with array accesses.

BasicStore::RemoveDeadBindings: handle regions besides VarRegions (we now have FieldRegions).

llvm-svn: 57741

- Added new region "SymbolicRegion", which maps symbol values to the region domain.
- Enhanced BasicStore::getFieldLValue() to return a FieldRegion (using SymbolicRegion)
- Added some utility methods to GRState for fetch svals from the store.
- Fixed regression in CheckNSError (we weren't getting the value bound to the parameter)

llvm-svn: 57717

RVal => SVal
LVal => Loc
NonLVal => NonLoc
lval => loc
nonlval => nonloc

llvm-svn: 57671

struct s {};
void f() {
  int a[10];
  int (*p)[10];
  p = &a;
  (*p)[3] =1;

  struct s d;
  struct s *q;
  q = &d;
}

We return the corresponding MemRegionVal for them.

llvm-svn: 57664

Remove GRExprEngine::getLVal and RValues::MakeVal.
Enhance StoreManager "GetLValue" methods to dispatch for specific kinds of lvalue queries, as opposed to interogating the expression tree (GRExprEngine already does this).

Added FIXMEs.  In particular, we no longer "assume" that a base pointer in a field/array access is null (this logic was removed).  Perhaps we should do this when fetching the lvalue for fields and array elements?

llvm-svn: 57657

llvm-svn: 57654

new VisitLValue method is added to replace the old VisitLVal. The semantics
model becomes more explicit to separate rvalue evaluation from lvalue
evaluation.  

llvm-svn: 57627

llvm-svn: 57225