1 //== RegionStore.cpp - Field-sensitive store model --------------*- C++ -*--==//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file defines a basic region store model. In this model, we do have field
11 // sensitivity. But we assume nothing about the heap shape. So recursive data
12 // structures are largely ignored. Basically we do 1-limiting analysis.
13 // Parameter pointers are assumed with no aliasing. Pointee objects of
14 // parameters are created lazily.
15 //
16 //===----------------------------------------------------------------------===//
17 #include "clang/AST/CharUnits.h"
18 #include "clang/AST/DeclCXX.h"
19 #include "clang/AST/ExprCXX.h"
20 #include "clang/AST/CXXInheritance.h"
21 #include "clang/Analysis/Analyses/LiveVariables.h"
22 #include "clang/Analysis/AnalysisContext.h"
23 #include "clang/Basic/TargetInfo.h"
24 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
25 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
26 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
27 #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
28 #include "llvm/ADT/ImmutableList.h"
29 #include "llvm/ADT/ImmutableMap.h"
30 #include "llvm/ADT/Optional.h"
31 #include "llvm/Support/raw_ostream.h"
32
33 using namespace clang;
34 using namespace ento;
35 using llvm::Optional;
36
37 //===----------------------------------------------------------------------===//
38 // Representation of binding keys.
39 //===----------------------------------------------------------------------===//
40
41 namespace {
42 class BindingKey {
43 public:
44 enum Kind { Default = 0x0, Direct = 0x1 };
45 private:
46 enum { Symbolic = 0x2 };
47
48 llvm::PointerIntPair<const MemRegion *, 2> P;
49 uint64_t Data;
50
BindingKey(const MemRegion * r,const MemRegion * Base,Kind k)51 explicit BindingKey(const MemRegion *r, const MemRegion *Base, Kind k)
52 : P(r, k | Symbolic), Data(reinterpret_cast<uintptr_t>(Base)) {
53 assert(r && Base && "Must have known regions.");
54 assert(getConcreteOffsetRegion() == Base && "Failed to store base region");
55 }
BindingKey(const MemRegion * r,uint64_t offset,Kind k)56 explicit BindingKey(const MemRegion *r, uint64_t offset, Kind k)
57 : P(r, k), Data(offset) {
58 assert(r && "Must have known regions.");
59 assert(getOffset() == offset && "Failed to store offset");
60 assert((r == r->getBaseRegion() || isa<ObjCIvarRegion>(r)) && "Not a base");
61 }
62 public:
63
isDirect() const64 bool isDirect() const { return P.getInt() & Direct; }
hasSymbolicOffset() const65 bool hasSymbolicOffset() const { return P.getInt() & Symbolic; }
66
getRegion() const67 const MemRegion *getRegion() const { return P.getPointer(); }
getOffset() const68 uint64_t getOffset() const {
69 assert(!hasSymbolicOffset());
70 return Data;
71 }
72
getConcreteOffsetRegion() const73 const MemRegion *getConcreteOffsetRegion() const {
74 assert(hasSymbolicOffset());
75 return reinterpret_cast<const MemRegion *>(static_cast<uintptr_t>(Data));
76 }
77
getBaseRegion() const78 const MemRegion *getBaseRegion() const {
79 if (hasSymbolicOffset())
80 return getConcreteOffsetRegion()->getBaseRegion();
81 return getRegion()->getBaseRegion();
82 }
83
Profile(llvm::FoldingSetNodeID & ID) const84 void Profile(llvm::FoldingSetNodeID& ID) const {
85 ID.AddPointer(P.getOpaqueValue());
86 ID.AddInteger(Data);
87 }
88
89 static BindingKey Make(const MemRegion *R, Kind k);
90
operator <(const BindingKey & X) const91 bool operator<(const BindingKey &X) const {
92 if (P.getOpaqueValue() < X.P.getOpaqueValue())
93 return true;
94 if (P.getOpaqueValue() > X.P.getOpaqueValue())
95 return false;
96 return Data < X.Data;
97 }
98
operator ==(const BindingKey & X) const99 bool operator==(const BindingKey &X) const {
100 return P.getOpaqueValue() == X.P.getOpaqueValue() &&
101 Data == X.Data;
102 }
103
104 LLVM_ATTRIBUTE_USED void dump() const;
105 };
106 } // end anonymous namespace
107
Make(const MemRegion * R,Kind k)108 BindingKey BindingKey::Make(const MemRegion *R, Kind k) {
109 const RegionOffset &RO = R->getAsOffset();
110 if (RO.hasSymbolicOffset())
111 return BindingKey(R, RO.getRegion(), k);
112
113 return BindingKey(RO.getRegion(), RO.getOffset(), k);
114 }
115
116 namespace llvm {
117 static inline
operator <<(raw_ostream & os,BindingKey K)118 raw_ostream &operator<<(raw_ostream &os, BindingKey K) {
119 os << '(' << K.getRegion();
120 if (!K.hasSymbolicOffset())
121 os << ',' << K.getOffset();
122 os << ',' << (K.isDirect() ? "direct" : "default")
123 << ')';
124 return os;
125 }
126 } // end llvm namespace
127
dump() const128 void BindingKey::dump() const {
129 llvm::errs() << *this;
130 }
131
132 //===----------------------------------------------------------------------===//
133 // Actual Store type.
134 //===----------------------------------------------------------------------===//
135
136 typedef llvm::ImmutableMap<BindingKey, SVal> ClusterBindings;
137 typedef llvm::ImmutableMap<const MemRegion *, ClusterBindings> RegionBindings;
138
139 //===----------------------------------------------------------------------===//
140 // Fine-grained control of RegionStoreManager.
141 //===----------------------------------------------------------------------===//
142
143 namespace {
144 struct minimal_features_tag {};
145 struct maximal_features_tag {};
146
147 class RegionStoreFeatures {
148 bool SupportsFields;
149 public:
RegionStoreFeatures(minimal_features_tag)150 RegionStoreFeatures(minimal_features_tag) :
151 SupportsFields(false) {}
152
RegionStoreFeatures(maximal_features_tag)153 RegionStoreFeatures(maximal_features_tag) :
154 SupportsFields(true) {}
155
enableFields(bool t)156 void enableFields(bool t) { SupportsFields = t; }
157
supportsFields() const158 bool supportsFields() const { return SupportsFields; }
159 };
160 }
161
162 //===----------------------------------------------------------------------===//
163 // Main RegionStore logic.
164 //===----------------------------------------------------------------------===//
165
166 namespace {
167
168 class RegionStoreManager : public StoreManager {
169 const RegionStoreFeatures Features;
170 RegionBindings::Factory RBFactory;
171 ClusterBindings::Factory CBFactory;
172
173 public:
RegionStoreManager(ProgramStateManager & mgr,const RegionStoreFeatures & f)174 RegionStoreManager(ProgramStateManager& mgr, const RegionStoreFeatures &f)
175 : StoreManager(mgr), Features(f),
176 RBFactory(mgr.getAllocator()), CBFactory(mgr.getAllocator()) {}
177
178 Optional<SVal> getDirectBinding(RegionBindings B, const MemRegion *R);
179 /// getDefaultBinding - Returns an SVal* representing an optional default
180 /// binding associated with a region and its subregions.
181 Optional<SVal> getDefaultBinding(RegionBindings B, const MemRegion *R);
182
183 /// setImplicitDefaultValue - Set the default binding for the provided
184 /// MemRegion to the value implicitly defined for compound literals when
185 /// the value is not specified.
186 StoreRef setImplicitDefaultValue(Store store, const MemRegion *R, QualType T);
187
188 /// ArrayToPointer - Emulates the "decay" of an array to a pointer
189 /// type. 'Array' represents the lvalue of the array being decayed
190 /// to a pointer, and the returned SVal represents the decayed
191 /// version of that lvalue (i.e., a pointer to the first element of
192 /// the array). This is called by ExprEngine when evaluating
193 /// casts from arrays to pointers.
194 SVal ArrayToPointer(Loc Array);
195
196 /// For DerivedToBase casts, create a CXXBaseObjectRegion and return it.
197 virtual SVal evalDerivedToBase(SVal derived, QualType basePtrType);
198
199 /// \brief Evaluates C++ dynamic_cast cast.
200 /// The callback may result in the following 3 scenarios:
201 /// - Successful cast (ex: derived is subclass of base).
202 /// - Failed cast (ex: derived is definitely not a subclass of base).
203 /// - We don't know (base is a symbolic region and we don't have
204 /// enough info to determine if the cast will succeed at run time).
205 /// The function returns an SVal representing the derived class; it's
206 /// valid only if Failed flag is set to false.
207 virtual SVal evalDynamicCast(SVal base, QualType derivedPtrType,bool &Failed);
208
getInitialStore(const LocationContext * InitLoc)209 StoreRef getInitialStore(const LocationContext *InitLoc) {
210 return StoreRef(RBFactory.getEmptyMap().getRootWithoutRetain(), *this);
211 }
212
213 //===-------------------------------------------------------------------===//
214 // Binding values to regions.
215 //===-------------------------------------------------------------------===//
216 RegionBindings invalidateGlobalRegion(MemRegion::Kind K,
217 const Expr *Ex,
218 unsigned Count,
219 const LocationContext *LCtx,
220 RegionBindings B,
221 InvalidatedRegions *Invalidated);
222
223 StoreRef invalidateRegions(Store store, ArrayRef<const MemRegion *> Regions,
224 const Expr *E, unsigned Count,
225 const LocationContext *LCtx,
226 InvalidatedSymbols &IS,
227 const CallEvent *Call,
228 InvalidatedRegions *Invalidated);
229
230 bool scanReachableSymbols(Store S, const MemRegion *R,
231 ScanReachableSymbols &Callbacks);
232
233 public: // Made public for helper classes.
234
235 RegionBindings removeSubRegionBindings(RegionBindings B, const SubRegion *R);
236
237 RegionBindings addBinding(RegionBindings B, BindingKey K, SVal V);
238
239 RegionBindings addBinding(RegionBindings B, const MemRegion *R,
240 BindingKey::Kind k, SVal V);
241
242 const SVal *lookup(RegionBindings B, BindingKey K);
243 const SVal *lookup(RegionBindings B, const MemRegion *R, BindingKey::Kind k);
244
245 RegionBindings removeBinding(RegionBindings B, BindingKey K);
246 RegionBindings removeBinding(RegionBindings B, const MemRegion *R,
247 BindingKey::Kind k);
248
removeBinding(RegionBindings B,const MemRegion * R)249 RegionBindings removeBinding(RegionBindings B, const MemRegion *R) {
250 return removeBinding(removeBinding(B, R, BindingKey::Direct), R,
251 BindingKey::Default);
252 }
253
254 RegionBindings removeCluster(RegionBindings B, const MemRegion *R);
255
256 public: // Part of public interface to class.
257
258 StoreRef Bind(Store store, Loc LV, SVal V);
259
260 // BindDefault is only used to initialize a region with a default value.
BindDefault(Store store,const MemRegion * R,SVal V)261 StoreRef BindDefault(Store store, const MemRegion *R, SVal V) {
262 RegionBindings B = GetRegionBindings(store);
263 assert(!lookup(B, R, BindingKey::Default));
264 assert(!lookup(B, R, BindingKey::Direct));
265 return StoreRef(addBinding(B, R, BindingKey::Default, V)
266 .getRootWithoutRetain(), *this);
267 }
268
269 /// \brief Create a new store that binds a value to a compound literal.
270 ///
271 /// \param ST The original store whose bindings are the basis for the new
272 /// store.
273 ///
274 /// \param CL The compound literal to bind (the binding key).
275 ///
276 /// \param LC The LocationContext for the binding.
277 ///
278 /// \param V The value to bind to the compound literal.
279 StoreRef bindCompoundLiteral(Store ST,
280 const CompoundLiteralExpr *CL,
281 const LocationContext *LC, SVal V);
282
283 /// BindStruct - Bind a compound value to a structure.
284 StoreRef BindStruct(Store store, const TypedValueRegion* R, SVal V);
285
286 /// BindVector - Bind a compound value to a vector.
287 StoreRef BindVector(Store store, const TypedValueRegion* R, SVal V);
288
289 StoreRef BindArray(Store store, const TypedValueRegion* R, SVal V);
290
291 /// Clears out all bindings in the given region and assigns a new value
292 /// as a Default binding.
293 StoreRef BindAggregate(Store store, const TypedRegion *R, SVal DefaultVal);
294
295 /// \brief Create a new store with the specified binding removed.
296 /// \param ST the original store, that is the basis for the new store.
297 /// \param L the location whose binding should be removed.
298 StoreRef killBinding(Store ST, Loc L);
299
incrementReferenceCount(Store store)300 void incrementReferenceCount(Store store) {
301 GetRegionBindings(store).manualRetain();
302 }
303
304 /// If the StoreManager supports it, decrement the reference count of
305 /// the specified Store object. If the reference count hits 0, the memory
306 /// associated with the object is recycled.
decrementReferenceCount(Store store)307 void decrementReferenceCount(Store store) {
308 GetRegionBindings(store).manualRelease();
309 }
310
311 bool includedInBindings(Store store, const MemRegion *region) const;
312
313 /// \brief Return the value bound to specified location in a given state.
314 ///
315 /// The high level logic for this method is this:
316 /// getBinding (L)
317 /// if L has binding
318 /// return L's binding
319 /// else if L is in killset
320 /// return unknown
321 /// else
322 /// if L is on stack or heap
323 /// return undefined
324 /// else
325 /// return symbolic
326 SVal getBinding(Store store, Loc L, QualType T = QualType());
327
328 SVal getBindingForElement(Store store, const ElementRegion *R);
329
330 SVal getBindingForField(Store store, const FieldRegion *R);
331
332 SVal getBindingForObjCIvar(Store store, const ObjCIvarRegion *R);
333
334 SVal getBindingForVar(Store store, const VarRegion *R);
335
336 SVal getBindingForLazySymbol(const TypedValueRegion *R);
337
338 SVal getBindingForFieldOrElementCommon(Store store, const TypedValueRegion *R,
339 QualType Ty, const MemRegion *superR);
340
341 SVal getLazyBinding(const MemRegion *lazyBindingRegion,
342 Store lazyBindingStore);
343
344 /// Get bindings for the values in a struct and return a CompoundVal, used
345 /// when doing struct copy:
346 /// struct s x, y;
347 /// x = y;
348 /// y's value is retrieved by this method.
349 SVal getBindingForStruct(Store store, const TypedValueRegion* R);
350
351 SVal getBindingForArray(Store store, const TypedValueRegion* R);
352
353 /// Used to lazily generate derived symbols for bindings that are defined
354 /// implicitly by default bindings in a super region.
355 Optional<SVal> getBindingForDerivedDefaultValue(RegionBindings B,
356 const MemRegion *superR,
357 const TypedValueRegion *R,
358 QualType Ty);
359
360 /// Get the state and region whose binding this region R corresponds to.
361 std::pair<Store, const MemRegion*>
362 GetLazyBinding(RegionBindings B, const MemRegion *R,
363 const MemRegion *originalRegion,
364 bool includeSuffix = false);
365
366 //===------------------------------------------------------------------===//
367 // State pruning.
368 //===------------------------------------------------------------------===//
369
370 /// removeDeadBindings - Scans the RegionStore of 'state' for dead values.
371 /// It returns a new Store with these values removed.
372 StoreRef removeDeadBindings(Store store, const StackFrameContext *LCtx,
373 SymbolReaper& SymReaper);
374
375 //===------------------------------------------------------------------===//
376 // Region "extents".
377 //===------------------------------------------------------------------===//
378
379 // FIXME: This method will soon be eliminated; see the note in Store.h.
380 DefinedOrUnknownSVal getSizeInElements(ProgramStateRef state,
381 const MemRegion* R, QualType EleTy);
382
383 //===------------------------------------------------------------------===//
384 // Utility methods.
385 //===------------------------------------------------------------------===//
386
GetRegionBindings(Store store)387 static inline RegionBindings GetRegionBindings(Store store) {
388 return RegionBindings(static_cast<const RegionBindings::TreeTy*>(store));
389 }
390
391 void print(Store store, raw_ostream &Out, const char* nl,
392 const char *sep);
393
iterBindings(Store store,BindingsHandler & f)394 void iterBindings(Store store, BindingsHandler& f) {
395 RegionBindings B = GetRegionBindings(store);
396 for (RegionBindings::iterator I = B.begin(), E = B.end(); I != E; ++I) {
397 const ClusterBindings &Cluster = I.getData();
398 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end();
399 CI != CE; ++CI) {
400 const BindingKey &K = CI.getKey();
401 if (!K.isDirect())
402 continue;
403 if (const SubRegion *R = dyn_cast<SubRegion>(K.getRegion())) {
404 // FIXME: Possibly incorporate the offset?
405 if (!f.HandleBinding(*this, store, R, CI.getData()))
406 return;
407 }
408 }
409 }
410 }
411 };
412
413 } // end anonymous namespace
414
415 //===----------------------------------------------------------------------===//
416 // RegionStore creation.
417 //===----------------------------------------------------------------------===//
418
CreateRegionStoreManager(ProgramStateManager & StMgr)419 StoreManager *ento::CreateRegionStoreManager(ProgramStateManager& StMgr) {
420 RegionStoreFeatures F = maximal_features_tag();
421 return new RegionStoreManager(StMgr, F);
422 }
423
424 StoreManager *
CreateFieldsOnlyRegionStoreManager(ProgramStateManager & StMgr)425 ento::CreateFieldsOnlyRegionStoreManager(ProgramStateManager &StMgr) {
426 RegionStoreFeatures F = minimal_features_tag();
427 F.enableFields(true);
428 return new RegionStoreManager(StMgr, F);
429 }
430
431
432 //===----------------------------------------------------------------------===//
433 // Region Cluster analysis.
434 //===----------------------------------------------------------------------===//
435
436 namespace {
437 template <typename DERIVED>
438 class ClusterAnalysis {
439 protected:
440 typedef llvm::DenseMap<const MemRegion *, const ClusterBindings *> ClusterMap;
441 typedef SmallVector<const MemRegion *, 10> WorkList;
442
443 llvm::SmallPtrSet<const ClusterBindings *, 16> Visited;
444
445 WorkList WL;
446
447 RegionStoreManager &RM;
448 ASTContext &Ctx;
449 SValBuilder &svalBuilder;
450
451 RegionBindings B;
452
453 const bool includeGlobals;
454
getCluster(const MemRegion * R)455 const ClusterBindings *getCluster(const MemRegion *R) {
456 return B.lookup(R);
457 }
458
459 public:
ClusterAnalysis(RegionStoreManager & rm,ProgramStateManager & StateMgr,RegionBindings b,const bool includeGlobals)460 ClusterAnalysis(RegionStoreManager &rm, ProgramStateManager &StateMgr,
461 RegionBindings b, const bool includeGlobals)
462 : RM(rm), Ctx(StateMgr.getContext()),
463 svalBuilder(StateMgr.getSValBuilder()),
464 B(b), includeGlobals(includeGlobals) {}
465
getRegionBindings() const466 RegionBindings getRegionBindings() const { return B; }
467
isVisited(const MemRegion * R)468 bool isVisited(const MemRegion *R) {
469 return Visited.count(getCluster(R));
470 }
471
GenerateClusters()472 void GenerateClusters() {
473 // Scan the entire set of bindings and record the region clusters.
474 for (RegionBindings::iterator RI = B.begin(), RE = B.end(); RI != RE; ++RI){
475 const MemRegion *Base = RI.getKey();
476
477 const ClusterBindings &Cluster = RI.getData();
478 assert(!Cluster.isEmpty() && "Empty clusters should be removed");
479 static_cast<DERIVED*>(this)->VisitAddedToCluster(Base, Cluster);
480
481 if (includeGlobals)
482 if (isa<NonStaticGlobalSpaceRegion>(Base->getMemorySpace()))
483 AddToWorkList(Base, &Cluster);
484 }
485 }
486
AddToWorkList(const MemRegion * R,const ClusterBindings * C)487 bool AddToWorkList(const MemRegion *R, const ClusterBindings *C) {
488 if (C && !Visited.insert(C))
489 return false;
490 WL.push_back(R);
491 return true;
492 }
493
AddToWorkList(const MemRegion * R)494 bool AddToWorkList(const MemRegion *R) {
495 const MemRegion *baseR = R->getBaseRegion();
496 return AddToWorkList(baseR, getCluster(baseR));
497 }
498
RunWorkList()499 void RunWorkList() {
500 while (!WL.empty()) {
501 const MemRegion *baseR = WL.pop_back_val();
502
503 // First visit the cluster.
504 if (const ClusterBindings *Cluster = getCluster(baseR))
505 static_cast<DERIVED*>(this)->VisitCluster(baseR, *Cluster);
506
507 // Next, visit the base region.
508 static_cast<DERIVED*>(this)->VisitBaseRegion(baseR);
509 }
510 }
511
512 public:
VisitAddedToCluster(const MemRegion * baseR,const ClusterBindings & C)513 void VisitAddedToCluster(const MemRegion *baseR, const ClusterBindings &C) {}
VisitCluster(const MemRegion * baseR,const ClusterBindings & C)514 void VisitCluster(const MemRegion *baseR, const ClusterBindings &C) {}
VisitBaseRegion(const MemRegion * baseR)515 void VisitBaseRegion(const MemRegion *baseR) {}
516 };
517 }
518
519 //===----------------------------------------------------------------------===//
520 // Binding invalidation.
521 //===----------------------------------------------------------------------===//
522
scanReachableSymbols(Store S,const MemRegion * R,ScanReachableSymbols & Callbacks)523 bool RegionStoreManager::scanReachableSymbols(Store S, const MemRegion *R,
524 ScanReachableSymbols &Callbacks) {
525 assert(R == R->getBaseRegion() && "Should only be called for base regions");
526 RegionBindings B = GetRegionBindings(S);
527 const ClusterBindings *Cluster = B.lookup(R);
528
529 if (!Cluster)
530 return true;
531
532 for (ClusterBindings::iterator RI = Cluster->begin(), RE = Cluster->end();
533 RI != RE; ++RI) {
534 if (!Callbacks.scan(RI.getData()))
535 return false;
536 }
537
538 return true;
539 }
540
removeSubRegionBindings(RegionBindings B,const SubRegion * R)541 RegionBindings RegionStoreManager::removeSubRegionBindings(RegionBindings B,
542 const SubRegion *R) {
543 BindingKey SRKey = BindingKey::Make(R, BindingKey::Default);
544 const MemRegion *ClusterHead = SRKey.getBaseRegion();
545 if (R == ClusterHead) {
546 // We can remove an entire cluster's bindings all in one go.
547 return RBFactory.remove(B, R);
548 }
549
550 if (SRKey.hasSymbolicOffset()) {
551 const SubRegion *Base = cast<SubRegion>(SRKey.getConcreteOffsetRegion());
552 B = removeSubRegionBindings(B, Base);
553 return addBinding(B, Base, BindingKey::Default, UnknownVal());
554 }
555
556 // This assumes the region being invalidated is char-aligned. This isn't
557 // true for bitfields, but since bitfields have no subregions they shouldn't
558 // be using this function anyway.
559 uint64_t Length = UINT64_MAX;
560
561 SVal Extent = R->getExtent(svalBuilder);
562 if (nonloc::ConcreteInt *ExtentCI = dyn_cast<nonloc::ConcreteInt>(&Extent)) {
563 const llvm::APSInt &ExtentInt = ExtentCI->getValue();
564 assert(ExtentInt.isNonNegative() || ExtentInt.isUnsigned());
565 // Extents are in bytes but region offsets are in bits. Be careful!
566 Length = ExtentInt.getLimitedValue() * Ctx.getCharWidth();
567 }
568
569 const ClusterBindings *Cluster = B.lookup(ClusterHead);
570 if (!Cluster)
571 return B;
572
573 ClusterBindings Result = *Cluster;
574
575 // It is safe to iterate over the bindings as they are being changed
576 // because they are in an ImmutableMap.
577 for (ClusterBindings::iterator I = Cluster->begin(), E = Cluster->end();
578 I != E; ++I) {
579 BindingKey NextKey = I.getKey();
580 if (NextKey.getRegion() == SRKey.getRegion()) {
581 if (NextKey.getOffset() > SRKey.getOffset() &&
582 NextKey.getOffset() - SRKey.getOffset() < Length) {
583 // Case 1: The next binding is inside the region we're invalidating.
584 // Remove it.
585 Result = CBFactory.remove(Result, NextKey);
586 } else if (NextKey.getOffset() == SRKey.getOffset()) {
587 // Case 2: The next binding is at the same offset as the region we're
588 // invalidating. In this case, we need to leave default bindings alone,
589 // since they may be providing a default value for a regions beyond what
590 // we're invalidating.
591 // FIXME: This is probably incorrect; consider invalidating an outer
592 // struct whose first field is bound to a LazyCompoundVal.
593 if (NextKey.isDirect())
594 Result = CBFactory.remove(Result, NextKey);
595 }
596 } else if (NextKey.hasSymbolicOffset()) {
597 const MemRegion *Base = NextKey.getConcreteOffsetRegion();
598 if (R->isSubRegionOf(Base)) {
599 // Case 3: The next key is symbolic and we just changed something within
600 // its concrete region. We don't know if the binding is still valid, so
601 // we'll be conservative and remove it.
602 if (NextKey.isDirect())
603 Result = CBFactory.remove(Result, NextKey);
604 } else if (const SubRegion *BaseSR = dyn_cast<SubRegion>(Base)) {
605 // Case 4: The next key is symbolic, but we changed a known
606 // super-region. In this case the binding is certainly no longer valid.
607 if (R == Base || BaseSR->isSubRegionOf(R))
608 Result = CBFactory.remove(Result, NextKey);
609 }
610 }
611 }
612
613 if (Result.isEmpty())
614 return RBFactory.remove(B, ClusterHead);
615 return RBFactory.add(B, ClusterHead, Result);
616 }
617
618 namespace {
619 class invalidateRegionsWorker : public ClusterAnalysis<invalidateRegionsWorker>
620 {
621 const Expr *Ex;
622 unsigned Count;
623 const LocationContext *LCtx;
624 StoreManager::InvalidatedSymbols &IS;
625 StoreManager::InvalidatedRegions *Regions;
626 public:
invalidateRegionsWorker(RegionStoreManager & rm,ProgramStateManager & stateMgr,RegionBindings b,const Expr * ex,unsigned count,const LocationContext * lctx,StoreManager::InvalidatedSymbols & is,StoreManager::InvalidatedRegions * r,bool includeGlobals)627 invalidateRegionsWorker(RegionStoreManager &rm,
628 ProgramStateManager &stateMgr,
629 RegionBindings b,
630 const Expr *ex, unsigned count,
631 const LocationContext *lctx,
632 StoreManager::InvalidatedSymbols &is,
633 StoreManager::InvalidatedRegions *r,
634 bool includeGlobals)
635 : ClusterAnalysis<invalidateRegionsWorker>(rm, stateMgr, b, includeGlobals),
636 Ex(ex), Count(count), LCtx(lctx), IS(is), Regions(r) {}
637
638 void VisitCluster(const MemRegion *baseR, const ClusterBindings &C);
639 void VisitBaseRegion(const MemRegion *baseR);
640
641 private:
642 void VisitBinding(SVal V);
643 };
644 }
645
VisitBinding(SVal V)646 void invalidateRegionsWorker::VisitBinding(SVal V) {
647 // A symbol? Mark it touched by the invalidation.
648 if (SymbolRef Sym = V.getAsSymbol())
649 IS.insert(Sym);
650
651 if (const MemRegion *R = V.getAsRegion()) {
652 AddToWorkList(R);
653 return;
654 }
655
656 // Is it a LazyCompoundVal? All references get invalidated as well.
657 if (const nonloc::LazyCompoundVal *LCS =
658 dyn_cast<nonloc::LazyCompoundVal>(&V)) {
659
660 const MemRegion *LazyR = LCS->getRegion();
661 RegionBindings B = RegionStoreManager::GetRegionBindings(LCS->getStore());
662
663 // FIXME: This should not have to walk all bindings in the old store.
664 for (RegionBindings::iterator RI = B.begin(), RE = B.end(); RI != RE; ++RI){
665 const ClusterBindings &Cluster = RI.getData();
666 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end();
667 CI != CE; ++CI) {
668 BindingKey K = CI.getKey();
669 if (const SubRegion *BaseR = dyn_cast<SubRegion>(K.getRegion())) {
670 if (BaseR == LazyR)
671 VisitBinding(CI.getData());
672 else if (K.hasSymbolicOffset() && BaseR->isSubRegionOf(LazyR))
673 VisitBinding(CI.getData());
674 }
675 }
676 }
677
678 return;
679 }
680 }
681
VisitCluster(const MemRegion * BaseR,const ClusterBindings & C)682 void invalidateRegionsWorker::VisitCluster(const MemRegion *BaseR,
683 const ClusterBindings &C) {
684 for (ClusterBindings::iterator I = C.begin(), E = C.end(); I != E; ++I)
685 VisitBinding(I.getData());
686
687 B = RM.removeCluster(B, BaseR);
688 }
689
VisitBaseRegion(const MemRegion * baseR)690 void invalidateRegionsWorker::VisitBaseRegion(const MemRegion *baseR) {
691 // Symbolic region? Mark that symbol touched by the invalidation.
692 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(baseR))
693 IS.insert(SR->getSymbol());
694
695 // BlockDataRegion? If so, invalidate captured variables that are passed
696 // by reference.
697 if (const BlockDataRegion *BR = dyn_cast<BlockDataRegion>(baseR)) {
698 for (BlockDataRegion::referenced_vars_iterator
699 BI = BR->referenced_vars_begin(), BE = BR->referenced_vars_end() ;
700 BI != BE; ++BI) {
701 const VarRegion *VR = *BI;
702 const VarDecl *VD = VR->getDecl();
703 if (VD->getAttr<BlocksAttr>() || !VD->hasLocalStorage()) {
704 AddToWorkList(VR);
705 }
706 else if (Loc::isLocType(VR->getValueType())) {
707 // Map the current bindings to a Store to retrieve the value
708 // of the binding. If that binding itself is a region, we should
709 // invalidate that region. This is because a block may capture
710 // a pointer value, but the thing pointed by that pointer may
711 // get invalidated.
712 Store store = B.getRootWithoutRetain();
713 SVal V = RM.getBinding(store, loc::MemRegionVal(VR));
714 if (const Loc *L = dyn_cast<Loc>(&V)) {
715 if (const MemRegion *LR = L->getAsRegion())
716 AddToWorkList(LR);
717 }
718 }
719 }
720 return;
721 }
722
723 // Otherwise, we have a normal data region. Record that we touched the region.
724 if (Regions)
725 Regions->push_back(baseR);
726
727 if (isa<AllocaRegion>(baseR) || isa<SymbolicRegion>(baseR)) {
728 // Invalidate the region by setting its default value to
729 // conjured symbol. The type of the symbol is irrelavant.
730 DefinedOrUnknownSVal V =
731 svalBuilder.conjureSymbolVal(baseR, Ex, LCtx, Ctx.IntTy, Count);
732 B = RM.addBinding(B, baseR, BindingKey::Default, V);
733 return;
734 }
735
736 if (!baseR->isBoundable())
737 return;
738
739 const TypedValueRegion *TR = cast<TypedValueRegion>(baseR);
740 QualType T = TR->getValueType();
741
742 // Invalidate the binding.
743 if (T->isStructureOrClassType()) {
744 // Invalidate the region by setting its default value to
745 // conjured symbol. The type of the symbol is irrelavant.
746 DefinedOrUnknownSVal V = svalBuilder.conjureSymbolVal(baseR, Ex, LCtx,
747 Ctx.IntTy, Count);
748 B = RM.addBinding(B, baseR, BindingKey::Default, V);
749 return;
750 }
751
752 if (const ArrayType *AT = Ctx.getAsArrayType(T)) {
753 // Set the default value of the array to conjured symbol.
754 DefinedOrUnknownSVal V =
755 svalBuilder.conjureSymbolVal(baseR, Ex, LCtx,
756 AT->getElementType(), Count);
757 B = RM.addBinding(B, baseR, BindingKey::Default, V);
758 return;
759 }
760
761 if (includeGlobals &&
762 isa<NonStaticGlobalSpaceRegion>(baseR->getMemorySpace())) {
763 // If the region is a global and we are invalidating all globals,
764 // just erase the entry. This causes all globals to be lazily
765 // symbolicated from the same base symbol.
766 B = RM.removeBinding(B, baseR);
767 return;
768 }
769
770
771 DefinedOrUnknownSVal V = svalBuilder.conjureSymbolVal(baseR, Ex, LCtx,
772 T,Count);
773 assert(SymbolManager::canSymbolicate(T) || V.isUnknown());
774 B = RM.addBinding(B, baseR, BindingKey::Direct, V);
775 }
776
invalidateGlobalRegion(MemRegion::Kind K,const Expr * Ex,unsigned Count,const LocationContext * LCtx,RegionBindings B,InvalidatedRegions * Invalidated)777 RegionBindings RegionStoreManager::invalidateGlobalRegion(MemRegion::Kind K,
778 const Expr *Ex,
779 unsigned Count,
780 const LocationContext *LCtx,
781 RegionBindings B,
782 InvalidatedRegions *Invalidated) {
783 // Bind the globals memory space to a new symbol that we will use to derive
784 // the bindings for all globals.
785 const GlobalsSpaceRegion *GS = MRMgr.getGlobalsRegion(K);
786 SVal V = svalBuilder.conjureSymbolVal(/* SymbolTag = */ (const void*) GS, Ex, LCtx,
787 /* type does not matter */ Ctx.IntTy,
788 Count);
789
790 B = removeBinding(B, GS);
791 B = addBinding(B, BindingKey::Make(GS, BindingKey::Default), V);
792
793 // Even if there are no bindings in the global scope, we still need to
794 // record that we touched it.
795 if (Invalidated)
796 Invalidated->push_back(GS);
797
798 return B;
799 }
800
invalidateRegions(Store store,ArrayRef<const MemRegion * > Regions,const Expr * Ex,unsigned Count,const LocationContext * LCtx,InvalidatedSymbols & IS,const CallEvent * Call,InvalidatedRegions * Invalidated)801 StoreRef RegionStoreManager::invalidateRegions(Store store,
802 ArrayRef<const MemRegion *> Regions,
803 const Expr *Ex, unsigned Count,
804 const LocationContext *LCtx,
805 InvalidatedSymbols &IS,
806 const CallEvent *Call,
807 InvalidatedRegions *Invalidated) {
808 invalidateRegionsWorker W(*this, StateMgr,
809 RegionStoreManager::GetRegionBindings(store),
810 Ex, Count, LCtx, IS, Invalidated, false);
811
812 // Scan the bindings and generate the clusters.
813 W.GenerateClusters();
814
815 // Add the regions to the worklist.
816 for (ArrayRef<const MemRegion *>::iterator
817 I = Regions.begin(), E = Regions.end(); I != E; ++I)
818 W.AddToWorkList(*I);
819
820 W.RunWorkList();
821
822 // Return the new bindings.
823 RegionBindings B = W.getRegionBindings();
824
825 // For all globals which are not static nor immutable: determine which global
826 // regions should be invalidated and invalidate them.
827 // TODO: This could possibly be more precise with modules.
828 //
829 // System calls invalidate only system globals.
830 if (Call && Call->isInSystemHeader()) {
831 B = invalidateGlobalRegion(MemRegion::GlobalSystemSpaceRegionKind,
832 Ex, Count, LCtx, B, Invalidated);
833 // Internal calls might invalidate both system and internal globals.
834 } else {
835 B = invalidateGlobalRegion(MemRegion::GlobalSystemSpaceRegionKind,
836 Ex, Count, LCtx, B, Invalidated);
837 B = invalidateGlobalRegion(MemRegion::GlobalInternalSpaceRegionKind,
838 Ex, Count, LCtx, B, Invalidated);
839 }
840
841 return StoreRef(B.getRootWithoutRetain(), *this);
842 }
843
844 //===----------------------------------------------------------------------===//
845 // Extents for regions.
846 //===----------------------------------------------------------------------===//
847
848 DefinedOrUnknownSVal
getSizeInElements(ProgramStateRef state,const MemRegion * R,QualType EleTy)849 RegionStoreManager::getSizeInElements(ProgramStateRef state,
850 const MemRegion *R,
851 QualType EleTy) {
852 SVal Size = cast<SubRegion>(R)->getExtent(svalBuilder);
853 const llvm::APSInt *SizeInt = svalBuilder.getKnownValue(state, Size);
854 if (!SizeInt)
855 return UnknownVal();
856
857 CharUnits RegionSize = CharUnits::fromQuantity(SizeInt->getSExtValue());
858
859 if (Ctx.getAsVariableArrayType(EleTy)) {
860 // FIXME: We need to track extra state to properly record the size
861 // of VLAs. Returning UnknownVal here, however, is a stop-gap so that
862 // we don't have a divide-by-zero below.
863 return UnknownVal();
864 }
865
866 CharUnits EleSize = Ctx.getTypeSizeInChars(EleTy);
867
868 // If a variable is reinterpreted as a type that doesn't fit into a larger
869 // type evenly, round it down.
870 // This is a signed value, since it's used in arithmetic with signed indices.
871 return svalBuilder.makeIntVal(RegionSize / EleSize, false);
872 }
873
874 //===----------------------------------------------------------------------===//
875 // Location and region casting.
876 //===----------------------------------------------------------------------===//
877
878 /// ArrayToPointer - Emulates the "decay" of an array to a pointer
879 /// type. 'Array' represents the lvalue of the array being decayed
880 /// to a pointer, and the returned SVal represents the decayed
881 /// version of that lvalue (i.e., a pointer to the first element of
882 /// the array). This is called by ExprEngine when evaluating casts
883 /// from arrays to pointers.
ArrayToPointer(Loc Array)884 SVal RegionStoreManager::ArrayToPointer(Loc Array) {
885 if (!isa<loc::MemRegionVal>(Array))
886 return UnknownVal();
887
888 const MemRegion* R = cast<loc::MemRegionVal>(&Array)->getRegion();
889 const TypedValueRegion* ArrayR = dyn_cast<TypedValueRegion>(R);
890
891 if (!ArrayR)
892 return UnknownVal();
893
894 // Strip off typedefs from the ArrayRegion's ValueType.
895 QualType T = ArrayR->getValueType().getDesugaredType(Ctx);
896 const ArrayType *AT = cast<ArrayType>(T);
897 T = AT->getElementType();
898
899 NonLoc ZeroIdx = svalBuilder.makeZeroArrayIndex();
900 return loc::MemRegionVal(MRMgr.getElementRegion(T, ZeroIdx, ArrayR, Ctx));
901 }
902
903 // This mirrors Type::getCXXRecordDeclForPointerType(), but there doesn't
904 // appear to be another need for this in the rest of the codebase.
GetCXXRecordDeclForReferenceType(QualType Ty)905 static const CXXRecordDecl *GetCXXRecordDeclForReferenceType(QualType Ty) {
906 if (const ReferenceType *RT = Ty->getAs<ReferenceType>())
907 if (const RecordType *RCT = RT->getPointeeType()->getAs<RecordType>())
908 return dyn_cast<CXXRecordDecl>(RCT->getDecl());
909 return 0;
910 }
911
evalDerivedToBase(SVal derived,QualType baseType)912 SVal RegionStoreManager::evalDerivedToBase(SVal derived, QualType baseType) {
913 const CXXRecordDecl *baseDecl;
914
915 if (baseType->isPointerType())
916 baseDecl = baseType->getCXXRecordDeclForPointerType();
917 else if (baseType->isReferenceType())
918 baseDecl = GetCXXRecordDeclForReferenceType(baseType);
919 else
920 baseDecl = baseType->getAsCXXRecordDecl();
921
922 assert(baseDecl && "not a CXXRecordDecl?");
923
924 loc::MemRegionVal *derivedRegVal = dyn_cast<loc::MemRegionVal>(&derived);
925 if (!derivedRegVal)
926 return derived;
927
928 const MemRegion *baseReg =
929 MRMgr.getCXXBaseObjectRegion(baseDecl, derivedRegVal->getRegion());
930
931 return loc::MemRegionVal(baseReg);
932 }
933
evalDynamicCast(SVal base,QualType derivedType,bool & Failed)934 SVal RegionStoreManager::evalDynamicCast(SVal base, QualType derivedType,
935 bool &Failed) {
936 Failed = false;
937
938 loc::MemRegionVal *baseRegVal = dyn_cast<loc::MemRegionVal>(&base);
939 if (!baseRegVal)
940 return UnknownVal();
941 const MemRegion *BaseRegion = baseRegVal->stripCasts(/*StripBases=*/false);
942
943 // Assume the derived class is a pointer or a reference to a CXX record.
944 derivedType = derivedType->getPointeeType();
945 assert(!derivedType.isNull());
946 const CXXRecordDecl *DerivedDecl = derivedType->getAsCXXRecordDecl();
947 if (!DerivedDecl && !derivedType->isVoidType())
948 return UnknownVal();
949
950 // Drill down the CXXBaseObject chains, which represent upcasts (casts from
951 // derived to base).
952 const MemRegion *SR = BaseRegion;
953 while (const TypedRegion *TSR = dyn_cast_or_null<TypedRegion>(SR)) {
954 QualType BaseType = TSR->getLocationType()->getPointeeType();
955 assert(!BaseType.isNull());
956 const CXXRecordDecl *SRDecl = BaseType->getAsCXXRecordDecl();
957 if (!SRDecl)
958 return UnknownVal();
959
960 // If found the derived class, the cast succeeds.
961 if (SRDecl == DerivedDecl)
962 return loc::MemRegionVal(TSR);
963
964 if (!derivedType->isVoidType()) {
965 // Static upcasts are marked as DerivedToBase casts by Sema, so this will
966 // only happen when multiple or virtual inheritance is involved.
967 CXXBasePaths Paths(/*FindAmbiguities=*/false, /*RecordPaths=*/true,
968 /*DetectVirtual=*/false);
969 if (SRDecl->isDerivedFrom(DerivedDecl, Paths)) {
970 SVal Result = loc::MemRegionVal(TSR);
971 const CXXBasePath &Path = *Paths.begin();
972 for (CXXBasePath::const_iterator I = Path.begin(), E = Path.end();
973 I != E; ++I) {
974 Result = evalDerivedToBase(Result, I->Base->getType());
975 }
976 return Result;
977 }
978 }
979
980 if (const CXXBaseObjectRegion *R = dyn_cast<CXXBaseObjectRegion>(TSR))
981 // Drill down the chain to get the derived classes.
982 SR = R->getSuperRegion();
983 else {
984 // We reached the bottom of the hierarchy.
985
986 // If this is a cast to void*, return the region.
987 if (derivedType->isVoidType())
988 return loc::MemRegionVal(TSR);
989
990 // We did not find the derived class. We we must be casting the base to
991 // derived, so the cast should fail.
992 Failed = true;
993 return UnknownVal();
994 }
995 }
996
997 return UnknownVal();
998 }
999
1000 //===----------------------------------------------------------------------===//
1001 // Loading values from regions.
1002 //===----------------------------------------------------------------------===//
1003
getDirectBinding(RegionBindings B,const MemRegion * R)1004 Optional<SVal> RegionStoreManager::getDirectBinding(RegionBindings B,
1005 const MemRegion *R) {
1006
1007 if (const SVal *V = lookup(B, R, BindingKey::Direct))
1008 return *V;
1009
1010 return Optional<SVal>();
1011 }
1012
getDefaultBinding(RegionBindings B,const MemRegion * R)1013 Optional<SVal> RegionStoreManager::getDefaultBinding(RegionBindings B,
1014 const MemRegion *R) {
1015 if (R->isBoundable())
1016 if (const TypedValueRegion *TR = dyn_cast<TypedValueRegion>(R))
1017 if (TR->getValueType()->isUnionType())
1018 return UnknownVal();
1019
1020 if (const SVal *V = lookup(B, R, BindingKey::Default))
1021 return *V;
1022
1023 return Optional<SVal>();
1024 }
1025
getBinding(Store store,Loc L,QualType T)1026 SVal RegionStoreManager::getBinding(Store store, Loc L, QualType T) {
1027 assert(!isa<UnknownVal>(L) && "location unknown");
1028 assert(!isa<UndefinedVal>(L) && "location undefined");
1029
1030 // For access to concrete addresses, return UnknownVal. Checks
1031 // for null dereferences (and similar errors) are done by checkers, not
1032 // the Store.
1033 // FIXME: We can consider lazily symbolicating such memory, but we really
1034 // should defer this when we can reason easily about symbolicating arrays
1035 // of bytes.
1036 if (isa<loc::ConcreteInt>(L)) {
1037 return UnknownVal();
1038 }
1039 if (!isa<loc::MemRegionVal>(L)) {
1040 return UnknownVal();
1041 }
1042
1043 const MemRegion *MR = cast<loc::MemRegionVal>(L).getRegion();
1044
1045 if (isa<AllocaRegion>(MR) ||
1046 isa<SymbolicRegion>(MR) ||
1047 isa<CodeTextRegion>(MR)) {
1048 if (T.isNull()) {
1049 if (const TypedRegion *TR = dyn_cast<TypedRegion>(MR))
1050 T = TR->getLocationType();
1051 else {
1052 const SymbolicRegion *SR = cast<SymbolicRegion>(MR);
1053 T = SR->getSymbol()->getType(Ctx);
1054 }
1055 }
1056 MR = GetElementZeroRegion(MR, T);
1057 }
1058
1059 // FIXME: Perhaps this method should just take a 'const MemRegion*' argument
1060 // instead of 'Loc', and have the other Loc cases handled at a higher level.
1061 const TypedValueRegion *R = cast<TypedValueRegion>(MR);
1062 QualType RTy = R->getValueType();
1063
1064 // FIXME: We should eventually handle funny addressing. e.g.:
1065 //
1066 // int x = ...;
1067 // int *p = &x;
1068 // char *q = (char*) p;
1069 // char c = *q; // returns the first byte of 'x'.
1070 //
1071 // Such funny addressing will occur due to layering of regions.
1072
1073 if (RTy->isStructureOrClassType())
1074 return getBindingForStruct(store, R);
1075
1076 // FIXME: Handle unions.
1077 if (RTy->isUnionType())
1078 return UnknownVal();
1079
1080 if (RTy->isArrayType()) {
1081 if (RTy->isConstantArrayType())
1082 return getBindingForArray(store, R);
1083 else
1084 return UnknownVal();
1085 }
1086
1087 // FIXME: handle Vector types.
1088 if (RTy->isVectorType())
1089 return UnknownVal();
1090
1091 if (const FieldRegion* FR = dyn_cast<FieldRegion>(R))
1092 return CastRetrievedVal(getBindingForField(store, FR), FR, T, false);
1093
1094 if (const ElementRegion* ER = dyn_cast<ElementRegion>(R)) {
1095 // FIXME: Here we actually perform an implicit conversion from the loaded
1096 // value to the element type. Eventually we want to compose these values
1097 // more intelligently. For example, an 'element' can encompass multiple
1098 // bound regions (e.g., several bound bytes), or could be a subset of
1099 // a larger value.
1100 return CastRetrievedVal(getBindingForElement(store, ER), ER, T, false);
1101 }
1102
1103 if (const ObjCIvarRegion *IVR = dyn_cast<ObjCIvarRegion>(R)) {
1104 // FIXME: Here we actually perform an implicit conversion from the loaded
1105 // value to the ivar type. What we should model is stores to ivars
1106 // that blow past the extent of the ivar. If the address of the ivar is
1107 // reinterpretted, it is possible we stored a different value that could
1108 // fit within the ivar. Either we need to cast these when storing them
1109 // or reinterpret them lazily (as we do here).
1110 return CastRetrievedVal(getBindingForObjCIvar(store, IVR), IVR, T, false);
1111 }
1112
1113 if (const VarRegion *VR = dyn_cast<VarRegion>(R)) {
1114 // FIXME: Here we actually perform an implicit conversion from the loaded
1115 // value to the variable type. What we should model is stores to variables
1116 // that blow past the extent of the variable. If the address of the
1117 // variable is reinterpretted, it is possible we stored a different value
1118 // that could fit within the variable. Either we need to cast these when
1119 // storing them or reinterpret them lazily (as we do here).
1120 return CastRetrievedVal(getBindingForVar(store, VR), VR, T, false);
1121 }
1122
1123 RegionBindings B = GetRegionBindings(store);
1124 const SVal *V = lookup(B, R, BindingKey::Direct);
1125
1126 // Check if the region has a binding.
1127 if (V)
1128 return *V;
1129
1130 // The location does not have a bound value. This means that it has
1131 // the value it had upon its creation and/or entry to the analyzed
1132 // function/method. These are either symbolic values or 'undefined'.
1133 if (R->hasStackNonParametersStorage()) {
1134 // All stack variables are considered to have undefined values
1135 // upon creation. All heap allocated blocks are considered to
1136 // have undefined values as well unless they are explicitly bound
1137 // to specific values.
1138 return UndefinedVal();
1139 }
1140
1141 // All other values are symbolic.
1142 return svalBuilder.getRegionValueSymbolVal(R);
1143 }
1144
1145 std::pair<Store, const MemRegion *>
GetLazyBinding(RegionBindings B,const MemRegion * R,const MemRegion * originalRegion,bool includeSuffix)1146 RegionStoreManager::GetLazyBinding(RegionBindings B, const MemRegion *R,
1147 const MemRegion *originalRegion,
1148 bool includeSuffix) {
1149
1150 if (originalRegion != R) {
1151 if (Optional<SVal> OV = getDefaultBinding(B, R)) {
1152 if (const nonloc::LazyCompoundVal *V =
1153 dyn_cast<nonloc::LazyCompoundVal>(OV.getPointer()))
1154 return std::make_pair(V->getStore(), V->getRegion());
1155 }
1156 }
1157
1158 if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
1159 const std::pair<Store, const MemRegion *> &X =
1160 GetLazyBinding(B, ER->getSuperRegion(), originalRegion);
1161
1162 if (X.second)
1163 return std::make_pair(X.first,
1164 MRMgr.getElementRegionWithSuper(ER, X.second));
1165 }
1166 else if (const FieldRegion *FR = dyn_cast<FieldRegion>(R)) {
1167 const std::pair<Store, const MemRegion *> &X =
1168 GetLazyBinding(B, FR->getSuperRegion(), originalRegion);
1169
1170 if (X.second) {
1171 if (includeSuffix)
1172 return std::make_pair(X.first,
1173 MRMgr.getFieldRegionWithSuper(FR, X.second));
1174 return X;
1175 }
1176
1177 }
1178 // C++ base object region is another kind of region that we should blast
1179 // through to look for lazy compound value. It is like a field region.
1180 else if (const CXXBaseObjectRegion *baseReg =
1181 dyn_cast<CXXBaseObjectRegion>(R)) {
1182 const std::pair<Store, const MemRegion *> &X =
1183 GetLazyBinding(B, baseReg->getSuperRegion(), originalRegion);
1184
1185 if (X.second) {
1186 if (includeSuffix)
1187 return std::make_pair(X.first,
1188 MRMgr.getCXXBaseObjectRegionWithSuper(baseReg,
1189 X.second));
1190 return X;
1191 }
1192 }
1193
1194 // The NULL MemRegion indicates an non-existent lazy binding. A NULL Store is
1195 // possible for a valid lazy binding.
1196 return std::make_pair((Store) 0, (const MemRegion *) 0);
1197 }
1198
getBindingForElement(Store store,const ElementRegion * R)1199 SVal RegionStoreManager::getBindingForElement(Store store,
1200 const ElementRegion* R) {
1201 // We do not currently model bindings of the CompoundLiteralregion.
1202 if (isa<CompoundLiteralRegion>(R->getBaseRegion()))
1203 return UnknownVal();
1204
1205 // Check if the region has a binding.
1206 RegionBindings B = GetRegionBindings(store);
1207 if (const Optional<SVal> &V = getDirectBinding(B, R))
1208 return *V;
1209
1210 const MemRegion* superR = R->getSuperRegion();
1211
1212 // Check if the region is an element region of a string literal.
1213 if (const StringRegion *StrR=dyn_cast<StringRegion>(superR)) {
1214 // FIXME: Handle loads from strings where the literal is treated as
1215 // an integer, e.g., *((unsigned int*)"hello")
1216 QualType T = Ctx.getAsArrayType(StrR->getValueType())->getElementType();
1217 if (T != Ctx.getCanonicalType(R->getElementType()))
1218 return UnknownVal();
1219
1220 const StringLiteral *Str = StrR->getStringLiteral();
1221 SVal Idx = R->getIndex();
1222 if (nonloc::ConcreteInt *CI = dyn_cast<nonloc::ConcreteInt>(&Idx)) {
1223 int64_t i = CI->getValue().getSExtValue();
1224 // Abort on string underrun. This can be possible by arbitrary
1225 // clients of getBindingForElement().
1226 if (i < 0)
1227 return UndefinedVal();
1228 int64_t length = Str->getLength();
1229 // Technically, only i == length is guaranteed to be null.
1230 // However, such overflows should be caught before reaching this point;
1231 // the only time such an access would be made is if a string literal was
1232 // used to initialize a larger array.
1233 char c = (i >= length) ? '\0' : Str->getCodeUnit(i);
1234 return svalBuilder.makeIntVal(c, T);
1235 }
1236 }
1237
1238 // Check for loads from a code text region. For such loads, just give up.
1239 if (isa<CodeTextRegion>(superR))
1240 return UnknownVal();
1241
1242 // Handle the case where we are indexing into a larger scalar object.
1243 // For example, this handles:
1244 // int x = ...
1245 // char *y = &x;
1246 // return *y;
1247 // FIXME: This is a hack, and doesn't do anything really intelligent yet.
1248 const RegionRawOffset &O = R->getAsArrayOffset();
1249
1250 // If we cannot reason about the offset, return an unknown value.
1251 if (!O.getRegion())
1252 return UnknownVal();
1253
1254 if (const TypedValueRegion *baseR =
1255 dyn_cast_or_null<TypedValueRegion>(O.getRegion())) {
1256 QualType baseT = baseR->getValueType();
1257 if (baseT->isScalarType()) {
1258 QualType elemT = R->getElementType();
1259 if (elemT->isScalarType()) {
1260 if (Ctx.getTypeSizeInChars(baseT) >= Ctx.getTypeSizeInChars(elemT)) {
1261 if (const Optional<SVal> &V = getDirectBinding(B, superR)) {
1262 if (SymbolRef parentSym = V->getAsSymbol())
1263 return svalBuilder.getDerivedRegionValueSymbolVal(parentSym, R);
1264
1265 if (V->isUnknownOrUndef())
1266 return *V;
1267 // Other cases: give up. We are indexing into a larger object
1268 // that has some value, but we don't know how to handle that yet.
1269 return UnknownVal();
1270 }
1271 }
1272 }
1273 }
1274 }
1275 return getBindingForFieldOrElementCommon(store, R, R->getElementType(),
1276 superR);
1277 }
1278
getBindingForField(Store store,const FieldRegion * R)1279 SVal RegionStoreManager::getBindingForField(Store store,
1280 const FieldRegion* R) {
1281
1282 // Check if the region has a binding.
1283 RegionBindings B = GetRegionBindings(store);
1284 if (const Optional<SVal> &V = getDirectBinding(B, R))
1285 return *V;
1286
1287 QualType Ty = R->getValueType();
1288 return getBindingForFieldOrElementCommon(store, R, Ty, R->getSuperRegion());
1289 }
1290
1291 Optional<SVal>
getBindingForDerivedDefaultValue(RegionBindings B,const MemRegion * superR,const TypedValueRegion * R,QualType Ty)1292 RegionStoreManager::getBindingForDerivedDefaultValue(RegionBindings B,
1293 const MemRegion *superR,
1294 const TypedValueRegion *R,
1295 QualType Ty) {
1296
1297 if (const Optional<SVal> &D = getDefaultBinding(B, superR)) {
1298 const SVal &val = D.getValue();
1299 if (SymbolRef parentSym = val.getAsSymbol())
1300 return svalBuilder.getDerivedRegionValueSymbolVal(parentSym, R);
1301
1302 if (val.isZeroConstant())
1303 return svalBuilder.makeZeroVal(Ty);
1304
1305 if (val.isUnknownOrUndef())
1306 return val;
1307
1308 // Lazy bindings are handled later.
1309 if (isa<nonloc::LazyCompoundVal>(val))
1310 return Optional<SVal>();
1311
1312 llvm_unreachable("Unknown default value");
1313 }
1314
1315 return Optional<SVal>();
1316 }
1317
getLazyBinding(const MemRegion * lazyBindingRegion,Store lazyBindingStore)1318 SVal RegionStoreManager::getLazyBinding(const MemRegion *lazyBindingRegion,
1319 Store lazyBindingStore) {
1320 if (const ElementRegion *ER = dyn_cast<ElementRegion>(lazyBindingRegion))
1321 return getBindingForElement(lazyBindingStore, ER);
1322
1323 return getBindingForField(lazyBindingStore,
1324 cast<FieldRegion>(lazyBindingRegion));
1325 }
1326
getBindingForFieldOrElementCommon(Store store,const TypedValueRegion * R,QualType Ty,const MemRegion * superR)1327 SVal RegionStoreManager::getBindingForFieldOrElementCommon(Store store,
1328 const TypedValueRegion *R,
1329 QualType Ty,
1330 const MemRegion *superR) {
1331
1332 // At this point we have already checked in either getBindingForElement or
1333 // getBindingForField if 'R' has a direct binding.
1334 RegionBindings B = GetRegionBindings(store);
1335
1336 // Lazy binding?
1337 Store lazyBindingStore = NULL;
1338 const MemRegion *lazyBindingRegion = NULL;
1339 llvm::tie(lazyBindingStore, lazyBindingRegion) = GetLazyBinding(B, R, R,
1340 true);
1341
1342 if (lazyBindingRegion)
1343 return getLazyBinding(lazyBindingRegion, lazyBindingStore);
1344
1345 // Record whether or not we see a symbolic index. That can completely
1346 // be out of scope of our lookup.
1347 bool hasSymbolicIndex = false;
1348
1349 while (superR) {
1350 if (const Optional<SVal> &D =
1351 getBindingForDerivedDefaultValue(B, superR, R, Ty))
1352 return *D;
1353
1354 if (const ElementRegion *ER = dyn_cast<ElementRegion>(superR)) {
1355 NonLoc index = ER->getIndex();
1356 if (!index.isConstant())
1357 hasSymbolicIndex = true;
1358 }
1359
1360 // If our super region is a field or element itself, walk up the region
1361 // hierarchy to see if there is a default value installed in an ancestor.
1362 if (const SubRegion *SR = dyn_cast<SubRegion>(superR)) {
1363 superR = SR->getSuperRegion();
1364 continue;
1365 }
1366 break;
1367 }
1368
1369 if (R->hasStackNonParametersStorage()) {
1370 if (isa<ElementRegion>(R)) {
1371 // Currently we don't reason specially about Clang-style vectors. Check
1372 // if superR is a vector and if so return Unknown.
1373 if (const TypedValueRegion *typedSuperR =
1374 dyn_cast<TypedValueRegion>(superR)) {
1375 if (typedSuperR->getValueType()->isVectorType())
1376 return UnknownVal();
1377 }
1378 }
1379
1380 // FIXME: We also need to take ElementRegions with symbolic indexes into
1381 // account. This case handles both directly accessing an ElementRegion
1382 // with a symbolic offset, but also fields within an element with
1383 // a symbolic offset.
1384 if (hasSymbolicIndex)
1385 return UnknownVal();
1386
1387 return UndefinedVal();
1388 }
1389
1390 // All other values are symbolic.
1391 return svalBuilder.getRegionValueSymbolVal(R);
1392 }
1393
getBindingForObjCIvar(Store store,const ObjCIvarRegion * R)1394 SVal RegionStoreManager::getBindingForObjCIvar(Store store,
1395 const ObjCIvarRegion* R) {
1396
1397 // Check if the region has a binding.
1398 RegionBindings B = GetRegionBindings(store);
1399
1400 if (const Optional<SVal> &V = getDirectBinding(B, R))
1401 return *V;
1402
1403 const MemRegion *superR = R->getSuperRegion();
1404
1405 // Check if the super region has a default binding.
1406 if (const Optional<SVal> &V = getDefaultBinding(B, superR)) {
1407 if (SymbolRef parentSym = V->getAsSymbol())
1408 return svalBuilder.getDerivedRegionValueSymbolVal(parentSym, R);
1409
1410 // Other cases: give up.
1411 return UnknownVal();
1412 }
1413
1414 return getBindingForLazySymbol(R);
1415 }
1416
getBindingForVar(Store store,const VarRegion * R)1417 SVal RegionStoreManager::getBindingForVar(Store store, const VarRegion *R) {
1418
1419 // Check if the region has a binding.
1420 RegionBindings B = GetRegionBindings(store);
1421
1422 if (const Optional<SVal> &V = getDirectBinding(B, R))
1423 return *V;
1424
1425 // Lazily derive a value for the VarRegion.
1426 const VarDecl *VD = R->getDecl();
1427 QualType T = VD->getType();
1428 const MemSpaceRegion *MS = R->getMemorySpace();
1429
1430 if (isa<UnknownSpaceRegion>(MS) ||
1431 isa<StackArgumentsSpaceRegion>(MS))
1432 return svalBuilder.getRegionValueSymbolVal(R);
1433
1434 if (isa<GlobalsSpaceRegion>(MS)) {
1435 if (isa<NonStaticGlobalSpaceRegion>(MS)) {
1436 // Is 'VD' declared constant? If so, retrieve the constant value.
1437 QualType CT = Ctx.getCanonicalType(T);
1438 if (CT.isConstQualified()) {
1439 const Expr *Init = VD->getInit();
1440 // Do the null check first, as we want to call 'IgnoreParenCasts'.
1441 if (Init)
1442 if (const IntegerLiteral *IL =
1443 dyn_cast<IntegerLiteral>(Init->IgnoreParenCasts())) {
1444 const nonloc::ConcreteInt &V = svalBuilder.makeIntVal(IL);
1445 return svalBuilder.evalCast(V, Init->getType(), IL->getType());
1446 }
1447 }
1448
1449 if (const Optional<SVal> &V
1450 = getBindingForDerivedDefaultValue(B, MS, R, CT))
1451 return V.getValue();
1452
1453 return svalBuilder.getRegionValueSymbolVal(R);
1454 }
1455
1456 if (T->isIntegerType())
1457 return svalBuilder.makeIntVal(0, T);
1458 if (T->isPointerType())
1459 return svalBuilder.makeNull();
1460
1461 return UnknownVal();
1462 }
1463
1464 return UndefinedVal();
1465 }
1466
getBindingForLazySymbol(const TypedValueRegion * R)1467 SVal RegionStoreManager::getBindingForLazySymbol(const TypedValueRegion *R) {
1468 // All other values are symbolic.
1469 return svalBuilder.getRegionValueSymbolVal(R);
1470 }
1471
mayHaveLazyBinding(QualType Ty)1472 static bool mayHaveLazyBinding(QualType Ty) {
1473 return Ty->isArrayType() || Ty->isStructureOrClassType();
1474 }
1475
getBindingForStruct(Store store,const TypedValueRegion * R)1476 SVal RegionStoreManager::getBindingForStruct(Store store,
1477 const TypedValueRegion* R) {
1478 const RecordDecl *RD = R->getValueType()->castAs<RecordType>()->getDecl();
1479 if (RD->field_empty())
1480 return UnknownVal();
1481
1482 // If we already have a lazy binding, don't create a new one,
1483 // unless the first field might have a lazy binding of its own.
1484 // (Right now we can't tell the difference.)
1485 QualType FirstFieldType = RD->field_begin()->getType();
1486 if (!mayHaveLazyBinding(FirstFieldType)) {
1487 RegionBindings B = GetRegionBindings(store);
1488 BindingKey K = BindingKey::Make(R, BindingKey::Default);
1489 if (const nonloc::LazyCompoundVal *V =
1490 dyn_cast_or_null<nonloc::LazyCompoundVal>(lookup(B, K))) {
1491 return *V;
1492 }
1493 }
1494
1495 return svalBuilder.makeLazyCompoundVal(StoreRef(store, *this), R);
1496 }
1497
getBindingForArray(Store store,const TypedValueRegion * R)1498 SVal RegionStoreManager::getBindingForArray(Store store,
1499 const TypedValueRegion * R) {
1500 const ConstantArrayType *Ty = Ctx.getAsConstantArrayType(R->getValueType());
1501 assert(Ty && "Only constant array types can have compound bindings.");
1502
1503 // If we already have a lazy binding, don't create a new one,
1504 // unless the first element might have a lazy binding of its own.
1505 // (Right now we can't tell the difference.)
1506 if (!mayHaveLazyBinding(Ty->getElementType())) {
1507 RegionBindings B = GetRegionBindings(store);
1508 BindingKey K = BindingKey::Make(R, BindingKey::Default);
1509 if (const nonloc::LazyCompoundVal *V =
1510 dyn_cast_or_null<nonloc::LazyCompoundVal>(lookup(B, K))) {
1511 return *V;
1512 }
1513 }
1514
1515 return svalBuilder.makeLazyCompoundVal(StoreRef(store, *this), R);
1516 }
1517
includedInBindings(Store store,const MemRegion * region) const1518 bool RegionStoreManager::includedInBindings(Store store,
1519 const MemRegion *region) const {
1520 RegionBindings B = GetRegionBindings(store);
1521 region = region->getBaseRegion();
1522
1523 // Quick path: if the base is the head of a cluster, the region is live.
1524 if (B.lookup(region))
1525 return true;
1526
1527 // Slow path: if the region is the VALUE of any binding, it is live.
1528 for (RegionBindings::iterator RI = B.begin(), RE = B.end(); RI != RE; ++RI) {
1529 const ClusterBindings &Cluster = RI.getData();
1530 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end();
1531 CI != CE; ++CI) {
1532 const SVal &D = CI.getData();
1533 if (const MemRegion *R = D.getAsRegion())
1534 if (R->getBaseRegion() == region)
1535 return true;
1536 }
1537 }
1538
1539 return false;
1540 }
1541
1542 //===----------------------------------------------------------------------===//
1543 // Binding values to regions.
1544 //===----------------------------------------------------------------------===//
1545
killBinding(Store ST,Loc L)1546 StoreRef RegionStoreManager::killBinding(Store ST, Loc L) {
1547 if (isa<loc::MemRegionVal>(L))
1548 if (const MemRegion* R = cast<loc::MemRegionVal>(L).getRegion())
1549 return StoreRef(removeBinding(GetRegionBindings(ST),
1550 R).getRootWithoutRetain(),
1551 *this);
1552
1553 return StoreRef(ST, *this);
1554 }
1555
Bind(Store store,Loc L,SVal V)1556 StoreRef RegionStoreManager::Bind(Store store, Loc L, SVal V) {
1557 if (isa<loc::ConcreteInt>(L))
1558 return StoreRef(store, *this);
1559
1560 // If we get here, the location should be a region.
1561 const MemRegion *R = cast<loc::MemRegionVal>(L).getRegion();
1562
1563 // Check if the region is a struct region.
1564 if (const TypedValueRegion* TR = dyn_cast<TypedValueRegion>(R)) {
1565 QualType Ty = TR->getValueType();
1566 if (Ty->isArrayType())
1567 return BindArray(store, TR, V);
1568 if (Ty->isStructureOrClassType())
1569 return BindStruct(store, TR, V);
1570 if (Ty->isVectorType())
1571 return BindVector(store, TR, V);
1572 }
1573
1574 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) {
1575 // Binding directly to a symbolic region should be treated as binding
1576 // to element 0.
1577 QualType T = SR->getSymbol()->getType(Ctx);
1578 if (T->isAnyPointerType() || T->isReferenceType())
1579 T = T->getPointeeType();
1580
1581 R = GetElementZeroRegion(SR, T);
1582 }
1583
1584 // Clear out bindings that may overlap with this binding.
1585
1586 // Perform the binding.
1587 RegionBindings B = GetRegionBindings(store);
1588 B = removeSubRegionBindings(B, cast<SubRegion>(R));
1589 BindingKey Key = BindingKey::Make(R, BindingKey::Direct);
1590 return StoreRef(addBinding(B, Key, V).getRootWithoutRetain(), *this);
1591 }
1592
1593 // FIXME: this method should be merged into Bind().
bindCompoundLiteral(Store ST,const CompoundLiteralExpr * CL,const LocationContext * LC,SVal V)1594 StoreRef RegionStoreManager::bindCompoundLiteral(Store ST,
1595 const CompoundLiteralExpr *CL,
1596 const LocationContext *LC,
1597 SVal V) {
1598 return Bind(ST, loc::MemRegionVal(MRMgr.getCompoundLiteralRegion(CL, LC)), V);
1599 }
1600
setImplicitDefaultValue(Store store,const MemRegion * R,QualType T)1601 StoreRef RegionStoreManager::setImplicitDefaultValue(Store store,
1602 const MemRegion *R,
1603 QualType T) {
1604 RegionBindings B = GetRegionBindings(store);
1605 SVal V;
1606
1607 if (Loc::isLocType(T))
1608 V = svalBuilder.makeNull();
1609 else if (T->isIntegerType())
1610 V = svalBuilder.makeZeroVal(T);
1611 else if (T->isStructureOrClassType() || T->isArrayType()) {
1612 // Set the default value to a zero constant when it is a structure
1613 // or array. The type doesn't really matter.
1614 V = svalBuilder.makeZeroVal(Ctx.IntTy);
1615 }
1616 else {
1617 // We can't represent values of this type, but we still need to set a value
1618 // to record that the region has been initialized.
1619 // If this assertion ever fires, a new case should be added above -- we
1620 // should know how to default-initialize any value we can symbolicate.
1621 assert(!SymbolManager::canSymbolicate(T) && "This type is representable");
1622 V = UnknownVal();
1623 }
1624
1625 return StoreRef(addBinding(B, R, BindingKey::Default,
1626 V).getRootWithoutRetain(), *this);
1627 }
1628
BindArray(Store store,const TypedValueRegion * R,SVal Init)1629 StoreRef RegionStoreManager::BindArray(Store store, const TypedValueRegion* R,
1630 SVal Init) {
1631
1632 const ArrayType *AT =cast<ArrayType>(Ctx.getCanonicalType(R->getValueType()));
1633 QualType ElementTy = AT->getElementType();
1634 Optional<uint64_t> Size;
1635
1636 if (const ConstantArrayType* CAT = dyn_cast<ConstantArrayType>(AT))
1637 Size = CAT->getSize().getZExtValue();
1638
1639 // Check if the init expr is a string literal.
1640 if (loc::MemRegionVal *MRV = dyn_cast<loc::MemRegionVal>(&Init)) {
1641 const StringRegion *S = cast<StringRegion>(MRV->getRegion());
1642
1643 // Treat the string as a lazy compound value.
1644 nonloc::LazyCompoundVal LCV =
1645 cast<nonloc::LazyCompoundVal>(svalBuilder.
1646 makeLazyCompoundVal(StoreRef(store, *this), S));
1647 return BindAggregate(store, R, LCV);
1648 }
1649
1650 // Handle lazy compound values.
1651 if (isa<nonloc::LazyCompoundVal>(Init))
1652 return BindAggregate(store, R, Init);
1653
1654 // Remaining case: explicit compound values.
1655
1656 if (Init.isUnknown())
1657 return setImplicitDefaultValue(store, R, ElementTy);
1658
1659 nonloc::CompoundVal& CV = cast<nonloc::CompoundVal>(Init);
1660 nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end();
1661 uint64_t i = 0;
1662
1663 StoreRef newStore(store, *this);
1664 for (; Size.hasValue() ? i < Size.getValue() : true ; ++i, ++VI) {
1665 // The init list might be shorter than the array length.
1666 if (VI == VE)
1667 break;
1668
1669 const NonLoc &Idx = svalBuilder.makeArrayIndex(i);
1670 const ElementRegion *ER = MRMgr.getElementRegion(ElementTy, Idx, R, Ctx);
1671
1672 if (ElementTy->isStructureOrClassType())
1673 newStore = BindStruct(newStore.getStore(), ER, *VI);
1674 else if (ElementTy->isArrayType())
1675 newStore = BindArray(newStore.getStore(), ER, *VI);
1676 else
1677 newStore = Bind(newStore.getStore(), svalBuilder.makeLoc(ER), *VI);
1678 }
1679
1680 // If the init list is shorter than the array length, set the
1681 // array default value.
1682 if (Size.hasValue() && i < Size.getValue())
1683 newStore = setImplicitDefaultValue(newStore.getStore(), R, ElementTy);
1684
1685 return newStore;
1686 }
1687
BindVector(Store store,const TypedValueRegion * R,SVal V)1688 StoreRef RegionStoreManager::BindVector(Store store, const TypedValueRegion* R,
1689 SVal V) {
1690 QualType T = R->getValueType();
1691 assert(T->isVectorType());
1692 const VectorType *VT = T->getAs<VectorType>(); // Use getAs for typedefs.
1693
1694 // Handle lazy compound values and symbolic values.
1695 if (isa<nonloc::LazyCompoundVal>(V) || isa<nonloc::SymbolVal>(V))
1696 return BindAggregate(store, R, V);
1697
1698 // We may get non-CompoundVal accidentally due to imprecise cast logic or
1699 // that we are binding symbolic struct value. Kill the field values, and if
1700 // the value is symbolic go and bind it as a "default" binding.
1701 if (!isa<nonloc::CompoundVal>(V)) {
1702 return BindAggregate(store, R, UnknownVal());
1703 }
1704
1705 QualType ElemType = VT->getElementType();
1706 nonloc::CompoundVal& CV = cast<nonloc::CompoundVal>(V);
1707 nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end();
1708 unsigned index = 0, numElements = VT->getNumElements();
1709 StoreRef newStore(store, *this);
1710
1711 for ( ; index != numElements ; ++index) {
1712 if (VI == VE)
1713 break;
1714
1715 NonLoc Idx = svalBuilder.makeArrayIndex(index);
1716 const ElementRegion *ER = MRMgr.getElementRegion(ElemType, Idx, R, Ctx);
1717
1718 if (ElemType->isArrayType())
1719 newStore = BindArray(newStore.getStore(), ER, *VI);
1720 else if (ElemType->isStructureOrClassType())
1721 newStore = BindStruct(newStore.getStore(), ER, *VI);
1722 else
1723 newStore = Bind(newStore.getStore(), svalBuilder.makeLoc(ER), *VI);
1724 }
1725 return newStore;
1726 }
1727
BindStruct(Store store,const TypedValueRegion * R,SVal V)1728 StoreRef RegionStoreManager::BindStruct(Store store, const TypedValueRegion* R,
1729 SVal V) {
1730
1731 if (!Features.supportsFields())
1732 return StoreRef(store, *this);
1733
1734 QualType T = R->getValueType();
1735 assert(T->isStructureOrClassType());
1736
1737 const RecordType* RT = T->getAs<RecordType>();
1738 RecordDecl *RD = RT->getDecl();
1739
1740 if (!RD->isCompleteDefinition())
1741 return StoreRef(store, *this);
1742
1743 // Handle lazy compound values and symbolic values.
1744 if (isa<nonloc::LazyCompoundVal>(V) || isa<nonloc::SymbolVal>(V))
1745 return BindAggregate(store, R, V);
1746
1747 // We may get non-CompoundVal accidentally due to imprecise cast logic or
1748 // that we are binding symbolic struct value. Kill the field values, and if
1749 // the value is symbolic go and bind it as a "default" binding.
1750 if (V.isUnknown() || !isa<nonloc::CompoundVal>(V))
1751 return BindAggregate(store, R, UnknownVal());
1752
1753 nonloc::CompoundVal& CV = cast<nonloc::CompoundVal>(V);
1754 nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end();
1755
1756 RecordDecl::field_iterator FI, FE;
1757 StoreRef newStore(store, *this);
1758
1759 for (FI = RD->field_begin(), FE = RD->field_end(); FI != FE; ++FI) {
1760
1761 if (VI == VE)
1762 break;
1763
1764 // Skip any unnamed bitfields to stay in sync with the initializers.
1765 if (FI->isUnnamedBitfield())
1766 continue;
1767
1768 QualType FTy = FI->getType();
1769 const FieldRegion* FR = MRMgr.getFieldRegion(*FI, R);
1770
1771 if (FTy->isArrayType())
1772 newStore = BindArray(newStore.getStore(), FR, *VI);
1773 else if (FTy->isStructureOrClassType())
1774 newStore = BindStruct(newStore.getStore(), FR, *VI);
1775 else
1776 newStore = Bind(newStore.getStore(), svalBuilder.makeLoc(FR), *VI);
1777 ++VI;
1778 }
1779
1780 // There may be fewer values in the initialize list than the fields of struct.
1781 if (FI != FE) {
1782 RegionBindings B = GetRegionBindings(newStore.getStore());
1783 B = addBinding(B, R, BindingKey::Default, svalBuilder.makeIntVal(0, false));
1784 newStore = StoreRef(B.getRootWithoutRetain(), *this);
1785 }
1786
1787 return newStore;
1788 }
1789
BindAggregate(Store store,const TypedRegion * R,SVal Val)1790 StoreRef RegionStoreManager::BindAggregate(Store store, const TypedRegion *R,
1791 SVal Val) {
1792 // Remove the old bindings, using 'R' as the root of all regions
1793 // we will invalidate. Then add the new binding.
1794 RegionBindings B = GetRegionBindings(store);
1795
1796 B = removeSubRegionBindings(B, R);
1797 B = addBinding(B, R, BindingKey::Default, Val);
1798
1799 return StoreRef(B.getRootWithoutRetain(), *this);
1800 }
1801
1802 //===----------------------------------------------------------------------===//
1803 // "Raw" retrievals and bindings.
1804 //===----------------------------------------------------------------------===//
1805
1806
addBinding(RegionBindings B,BindingKey K,SVal V)1807 RegionBindings RegionStoreManager::addBinding(RegionBindings B, BindingKey K,
1808 SVal V) {
1809 const MemRegion *Base = K.getBaseRegion();
1810
1811 const ClusterBindings *ExistingCluster = B.lookup(Base);
1812 ClusterBindings Cluster = (ExistingCluster ? *ExistingCluster
1813 : CBFactory.getEmptyMap());
1814
1815 ClusterBindings NewCluster = CBFactory.add(Cluster, K, V);
1816 return RBFactory.add(B, Base, NewCluster);
1817 }
1818
addBinding(RegionBindings B,const MemRegion * R,BindingKey::Kind k,SVal V)1819 RegionBindings RegionStoreManager::addBinding(RegionBindings B,
1820 const MemRegion *R,
1821 BindingKey::Kind k, SVal V) {
1822 return addBinding(B, BindingKey::Make(R, k), V);
1823 }
1824
lookup(RegionBindings B,BindingKey K)1825 const SVal *RegionStoreManager::lookup(RegionBindings B, BindingKey K) {
1826 const ClusterBindings *Cluster = B.lookup(K.getBaseRegion());
1827 if (!Cluster)
1828 return 0;
1829
1830 return Cluster->lookup(K);
1831 }
1832
lookup(RegionBindings B,const MemRegion * R,BindingKey::Kind k)1833 const SVal *RegionStoreManager::lookup(RegionBindings B,
1834 const MemRegion *R,
1835 BindingKey::Kind k) {
1836 return lookup(B, BindingKey::Make(R, k));
1837 }
1838
removeBinding(RegionBindings B,BindingKey K)1839 RegionBindings RegionStoreManager::removeBinding(RegionBindings B,
1840 BindingKey K) {
1841 const MemRegion *Base = K.getBaseRegion();
1842 const ClusterBindings *Cluster = B.lookup(Base);
1843 if (!Cluster)
1844 return B;
1845
1846 ClusterBindings NewCluster = CBFactory.remove(*Cluster, K);
1847 if (NewCluster.isEmpty())
1848 return RBFactory.remove(B, Base);
1849 return RBFactory.add(B, Base, NewCluster);
1850 }
1851
removeBinding(RegionBindings B,const MemRegion * R,BindingKey::Kind k)1852 RegionBindings RegionStoreManager::removeBinding(RegionBindings B,
1853 const MemRegion *R,
1854 BindingKey::Kind k){
1855 return removeBinding(B, BindingKey::Make(R, k));
1856 }
1857
removeCluster(RegionBindings B,const MemRegion * Base)1858 RegionBindings RegionStoreManager::removeCluster(RegionBindings B,
1859 const MemRegion *Base) {
1860 return RBFactory.remove(B, Base);
1861 }
1862
1863 //===----------------------------------------------------------------------===//
1864 // State pruning.
1865 //===----------------------------------------------------------------------===//
1866
1867 namespace {
1868 class removeDeadBindingsWorker :
1869 public ClusterAnalysis<removeDeadBindingsWorker> {
1870 SmallVector<const SymbolicRegion*, 12> Postponed;
1871 SymbolReaper &SymReaper;
1872 const StackFrameContext *CurrentLCtx;
1873
1874 public:
removeDeadBindingsWorker(RegionStoreManager & rm,ProgramStateManager & stateMgr,RegionBindings b,SymbolReaper & symReaper,const StackFrameContext * LCtx)1875 removeDeadBindingsWorker(RegionStoreManager &rm,
1876 ProgramStateManager &stateMgr,
1877 RegionBindings b, SymbolReaper &symReaper,
1878 const StackFrameContext *LCtx)
1879 : ClusterAnalysis<removeDeadBindingsWorker>(rm, stateMgr, b,
1880 /* includeGlobals = */ false),
1881 SymReaper(symReaper), CurrentLCtx(LCtx) {}
1882
1883 // Called by ClusterAnalysis.
1884 void VisitAddedToCluster(const MemRegion *baseR, const ClusterBindings &C);
1885 void VisitCluster(const MemRegion *baseR, const ClusterBindings &C);
1886
1887 bool UpdatePostponed();
1888 void VisitBinding(SVal V);
1889 };
1890 }
1891
VisitAddedToCluster(const MemRegion * baseR,const ClusterBindings & C)1892 void removeDeadBindingsWorker::VisitAddedToCluster(const MemRegion *baseR,
1893 const ClusterBindings &C) {
1894
1895 if (const VarRegion *VR = dyn_cast<VarRegion>(baseR)) {
1896 if (SymReaper.isLive(VR))
1897 AddToWorkList(baseR, &C);
1898
1899 return;
1900 }
1901
1902 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(baseR)) {
1903 if (SymReaper.isLive(SR->getSymbol()))
1904 AddToWorkList(SR, &C);
1905 else
1906 Postponed.push_back(SR);
1907
1908 return;
1909 }
1910
1911 if (isa<NonStaticGlobalSpaceRegion>(baseR)) {
1912 AddToWorkList(baseR, &C);
1913 return;
1914 }
1915
1916 // CXXThisRegion in the current or parent location context is live.
1917 if (const CXXThisRegion *TR = dyn_cast<CXXThisRegion>(baseR)) {
1918 const StackArgumentsSpaceRegion *StackReg =
1919 cast<StackArgumentsSpaceRegion>(TR->getSuperRegion());
1920 const StackFrameContext *RegCtx = StackReg->getStackFrame();
1921 if (RegCtx == CurrentLCtx || RegCtx->isParentOf(CurrentLCtx))
1922 AddToWorkList(TR, &C);
1923 }
1924 }
1925
VisitCluster(const MemRegion * baseR,const ClusterBindings & C)1926 void removeDeadBindingsWorker::VisitCluster(const MemRegion *baseR,
1927 const ClusterBindings &C) {
1928 // Mark the symbol for any SymbolicRegion with live bindings as live itself.
1929 // This means we should continue to track that symbol.
1930 if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(baseR))
1931 SymReaper.markLive(SymR->getSymbol());
1932
1933 for (ClusterBindings::iterator I = C.begin(), E = C.end(); I != E; ++I)
1934 VisitBinding(I.getData());
1935 }
1936
VisitBinding(SVal V)1937 void removeDeadBindingsWorker::VisitBinding(SVal V) {
1938 // Is it a LazyCompoundVal? All referenced regions are live as well.
1939 if (const nonloc::LazyCompoundVal *LCS =
1940 dyn_cast<nonloc::LazyCompoundVal>(&V)) {
1941
1942 const MemRegion *LazyR = LCS->getRegion();
1943 RegionBindings B = RegionStoreManager::GetRegionBindings(LCS->getStore());
1944
1945 // FIXME: This should not have to walk all bindings in the old store.
1946 for (RegionBindings::iterator RI = B.begin(), RE = B.end(); RI != RE; ++RI){
1947 const ClusterBindings &Cluster = RI.getData();
1948 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end();
1949 CI != CE; ++CI) {
1950 BindingKey K = CI.getKey();
1951 if (const SubRegion *BaseR = dyn_cast<SubRegion>(K.getRegion())) {
1952 if (BaseR == LazyR)
1953 VisitBinding(CI.getData());
1954 else if (K.hasSymbolicOffset() && BaseR->isSubRegionOf(LazyR))
1955 VisitBinding(CI.getData());
1956 }
1957 }
1958 }
1959
1960 return;
1961 }
1962
1963 // If V is a region, then add it to the worklist.
1964 if (const MemRegion *R = V.getAsRegion()) {
1965 AddToWorkList(R);
1966
1967 // All regions captured by a block are also live.
1968 if (const BlockDataRegion *BR = dyn_cast<BlockDataRegion>(R)) {
1969 BlockDataRegion::referenced_vars_iterator I = BR->referenced_vars_begin(),
1970 E = BR->referenced_vars_end();
1971 for ( ; I != E; ++I)
1972 AddToWorkList(I.getCapturedRegion());
1973 }
1974 }
1975
1976
1977 // Update the set of live symbols.
1978 for (SymExpr::symbol_iterator SI = V.symbol_begin(), SE = V.symbol_end();
1979 SI!=SE; ++SI)
1980 SymReaper.markLive(*SI);
1981 }
1982
UpdatePostponed()1983 bool removeDeadBindingsWorker::UpdatePostponed() {
1984 // See if any postponed SymbolicRegions are actually live now, after
1985 // having done a scan.
1986 bool changed = false;
1987
1988 for (SmallVectorImpl<const SymbolicRegion*>::iterator
1989 I = Postponed.begin(), E = Postponed.end() ; I != E ; ++I) {
1990 if (const SymbolicRegion *SR = *I) {
1991 if (SymReaper.isLive(SR->getSymbol())) {
1992 changed |= AddToWorkList(SR);
1993 *I = NULL;
1994 }
1995 }
1996 }
1997
1998 return changed;
1999 }
2000
removeDeadBindings(Store store,const StackFrameContext * LCtx,SymbolReaper & SymReaper)2001 StoreRef RegionStoreManager::removeDeadBindings(Store store,
2002 const StackFrameContext *LCtx,
2003 SymbolReaper& SymReaper) {
2004 RegionBindings B = GetRegionBindings(store);
2005 removeDeadBindingsWorker W(*this, StateMgr, B, SymReaper, LCtx);
2006 W.GenerateClusters();
2007
2008 // Enqueue the region roots onto the worklist.
2009 for (SymbolReaper::region_iterator I = SymReaper.region_begin(),
2010 E = SymReaper.region_end(); I != E; ++I) {
2011 W.AddToWorkList(*I);
2012 }
2013
2014 do W.RunWorkList(); while (W.UpdatePostponed());
2015
2016 // We have now scanned the store, marking reachable regions and symbols
2017 // as live. We now remove all the regions that are dead from the store
2018 // as well as update DSymbols with the set symbols that are now dead.
2019 for (RegionBindings::iterator I = B.begin(), E = B.end(); I != E; ++I) {
2020 const MemRegion *Base = I.getKey();
2021
2022 // If the cluster has been visited, we know the region has been marked.
2023 if (W.isVisited(Base))
2024 continue;
2025
2026 // Remove the dead entry.
2027 B = removeCluster(B, Base);
2028
2029 if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(Base))
2030 SymReaper.maybeDead(SymR->getSymbol());
2031
2032 // Mark all non-live symbols that this binding references as dead.
2033 const ClusterBindings &Cluster = I.getData();
2034 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end();
2035 CI != CE; ++CI) {
2036 SVal X = CI.getData();
2037 SymExpr::symbol_iterator SI = X.symbol_begin(), SE = X.symbol_end();
2038 for (; SI != SE; ++SI)
2039 SymReaper.maybeDead(*SI);
2040 }
2041 }
2042
2043 return StoreRef(B.getRootWithoutRetain(), *this);
2044 }
2045
2046 //===----------------------------------------------------------------------===//
2047 // Utility methods.
2048 //===----------------------------------------------------------------------===//
2049
print(Store store,raw_ostream & OS,const char * nl,const char * sep)2050 void RegionStoreManager::print(Store store, raw_ostream &OS,
2051 const char* nl, const char *sep) {
2052 RegionBindings B = GetRegionBindings(store);
2053 OS << "Store (direct and default bindings), "
2054 << (void*) B.getRootWithoutRetain()
2055 << " :" << nl;
2056
2057 for (RegionBindings::iterator I = B.begin(), E = B.end(); I != E; ++I) {
2058 const ClusterBindings &Cluster = I.getData();
2059 for (ClusterBindings::iterator CI = Cluster.begin(), CE = Cluster.end();
2060 CI != CE; ++CI) {
2061 OS << ' ' << CI.getKey() << " : " << CI.getData() << nl;
2062 }
2063 OS << nl;
2064 }
2065 }
2066