1//=-- ExprEngineC.cpp - ExprEngine support for C expressions ----*- C++ -*-===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines ExprEngine's support for C expressions.
10//
11//===----------------------------------------------------------------------===//
12
13#include "clang/AST/DeclCXX.h"
14#include "clang/AST/ExprCXX.h"
15#include "clang/StaticAnalyzer/Core/CheckerManager.h"
16#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
17#include <optional>
18
19using namespace clang;
20using namespace ento;
21using llvm::APSInt;
22
23/// Optionally conjure and return a symbol for offset when processing
24/// \p Elem.
25/// If \p Other is a location, conjure a symbol for \p Symbol
26/// (offset) if it is unknown so that memory arithmetic always
27/// results in an ElementRegion.
28/// \p Count The number of times the current basic block was visited.
29static SVal conjureOffsetSymbolOnLocation(SVal Symbol, SVal Other,
30 ConstCFGElementRef Elem, QualType Ty,
31 SValBuilder &svalBuilder,
32 unsigned Count,
33 const LocationContext *LCtx) {
34 if (isa<Loc>(Val: Other) && Ty->isIntegralOrEnumerationType() &&
35 Symbol.isUnknown()) {
36 return svalBuilder.conjureSymbolVal(elem: Elem, LCtx, type: Ty, visitCount: Count);
37 }
38 return Symbol;
39}
40
41void ExprEngine::VisitBinaryOperator(const BinaryOperator* B,
42 ExplodedNode *Pred,
43 ExplodedNodeSet &Dst) {
44
45 Expr *LHS = B->getLHS()->IgnoreParens();
46 Expr *RHS = B->getRHS()->IgnoreParens();
47
48 // FIXME: Prechecks eventually go in ::Visit().
49 ExplodedNodeSet CheckedSet;
50 ExplodedNodeSet Tmp2;
51 getCheckerManager().runCheckersForPreStmt(CheckedSet, Pred, B, *this);
52
53 // With both the LHS and RHS evaluated, process the operation itself.
54 for (ExplodedNodeSet::iterator it=CheckedSet.begin(), ei=CheckedSet.end();
55 it != ei; ++it) {
56
57 ProgramStateRef state = (*it)->getState();
58 const LocationContext *LCtx = (*it)->getLocationContext();
59 SVal LeftV = state->getSVal(LHS, LCtx);
60 SVal RightV = state->getSVal(RHS, LCtx);
61
62 BinaryOperator::Opcode Op = B->getOpcode();
63
64 if (Op == BO_Assign) {
65 // EXPERIMENTAL: "Conjured" symbols.
66 // FIXME: Handle structs.
67 if (RightV.isUnknown()) {
68 unsigned Count = currBldrCtx->blockCount();
69 RightV = svalBuilder.conjureSymbolVal(symbolTag: nullptr, elem: getCFGElementRef(), LCtx,
70 count: Count);
71 }
72 // Simulate the effects of a "store": bind the value of the RHS
73 // to the L-Value represented by the LHS.
74 SVal ExprVal = B->isGLValue() ? LeftV : RightV;
75 evalStore(Tmp2, B, LHS, *it, state->BindExpr(B, LCtx, ExprVal),
76 LeftV, RightV);
77 continue;
78 }
79
80 if (!B->isAssignmentOp()) {
81 StmtNodeBuilder Bldr(*it, Tmp2, *currBldrCtx);
82
83 if (B->isAdditiveOp()) {
84 // TODO: This can be removed after we enable history tracking with
85 // SymSymExpr.
86 unsigned Count = currBldrCtx->blockCount();
87 RightV = conjureOffsetSymbolOnLocation(
88 Symbol: RightV, Other: LeftV, Elem: getCFGElementRef(), Ty: RHS->getType(), svalBuilder,
89 Count, LCtx);
90 LeftV = conjureOffsetSymbolOnLocation(Symbol: LeftV, Other: RightV, Elem: getCFGElementRef(),
91 Ty: LHS->getType(), svalBuilder,
92 Count, LCtx);
93 }
94
95 // Although we don't yet model pointers-to-members, we do need to make
96 // sure that the members of temporaries have a valid 'this' pointer for
97 // other checks.
98 if (B->getOpcode() == BO_PtrMemD)
99 state = createTemporaryRegionIfNeeded(State: state, LC: LCtx, InitWithAdjustments: LHS);
100
101 // Process non-assignments except commas or short-circuited
102 // logical expressions (LAnd and LOr).
103 SVal Result = evalBinOp(ST: state, Op, LHS: LeftV, RHS: RightV, T: B->getType());
104 if (!Result.isUnknown()) {
105 state = state->BindExpr(B, LCtx, Result);
106 } else {
107 // If we cannot evaluate the operation escape the operands.
108 state = escapeValues(State: state, Vs: LeftV, K: PSK_EscapeOther);
109 state = escapeValues(State: state, Vs: RightV, K: PSK_EscapeOther);
110 }
111
112 Bldr.generateNode(B, *it, state);
113 continue;
114 }
115
116 assert (B->isCompoundAssignmentOp());
117
118 switch (Op) {
119 default:
120 llvm_unreachable("Invalid opcode for compound assignment.");
121 case BO_MulAssign: Op = BO_Mul; break;
122 case BO_DivAssign: Op = BO_Div; break;
123 case BO_RemAssign: Op = BO_Rem; break;
124 case BO_AddAssign: Op = BO_Add; break;
125 case BO_SubAssign: Op = BO_Sub; break;
126 case BO_ShlAssign: Op = BO_Shl; break;
127 case BO_ShrAssign: Op = BO_Shr; break;
128 case BO_AndAssign: Op = BO_And; break;
129 case BO_XorAssign: Op = BO_Xor; break;
130 case BO_OrAssign: Op = BO_Or; break;
131 }
132
133 // Perform a load (the LHS). This performs the checks for
134 // null dereferences, and so on.
135 ExplodedNodeSet Tmp;
136 SVal location = LeftV;
137 evalLoad(Tmp, B, LHS, *it, state, location);
138
139 for (ExplodedNode *N : Tmp) {
140 state = N->getState();
141 const LocationContext *LCtx = N->getLocationContext();
142 SVal V = state->getSVal(LHS, LCtx);
143
144 // Get the computation type.
145 QualType CTy =
146 cast<CompoundAssignOperator>(Val: B)->getComputationResultType();
147 CTy = getContext().getCanonicalType(T: CTy);
148
149 QualType CLHSTy =
150 cast<CompoundAssignOperator>(Val: B)->getComputationLHSType();
151 CLHSTy = getContext().getCanonicalType(T: CLHSTy);
152
153 QualType LTy = getContext().getCanonicalType(T: LHS->getType());
154
155 // Promote LHS.
156 V = svalBuilder.evalCast(V, CastTy: CLHSTy, OriginalTy: LTy);
157
158 // Compute the result of the operation.
159 SVal Result = svalBuilder.evalCast(V: evalBinOp(ST: state, Op, LHS: V, RHS: RightV, T: CTy),
160 CastTy: B->getType(), OriginalTy: CTy);
161
162 // EXPERIMENTAL: "Conjured" symbols.
163 // FIXME: Handle structs.
164
165 SVal LHSVal;
166
167 if (Result.isUnknown()) {
168 // The symbolic value is actually for the type of the left-hand side
169 // expression, not the computation type, as this is the value the
170 // LValue on the LHS will bind to.
171 LHSVal = svalBuilder.conjureSymbolVal(/*symbolTag=*/nullptr,
172 elem: getCFGElementRef(), LCtx, type: LTy,
173 count: currBldrCtx->blockCount());
174 // However, we need to convert the symbol to the computation type.
175 Result = svalBuilder.evalCast(V: LHSVal, CastTy: CTy, OriginalTy: LTy);
176 } else {
177 // The left-hand side may bind to a different value then the
178 // computation type.
179 LHSVal = svalBuilder.evalCast(V: Result, CastTy: LTy, OriginalTy: CTy);
180 }
181
182 // In C++, assignment and compound assignment operators return an
183 // lvalue.
184 if (B->isGLValue())
185 state = state->BindExpr(B, LCtx, location);
186 else
187 state = state->BindExpr(B, LCtx, Result);
188
189 evalStore(Tmp2, B, LHS, N, state, location, LHSVal);
190 }
191 }
192
193 // FIXME: postvisits eventually go in ::Visit()
194 getCheckerManager().runCheckersForPostStmt(Dst, Tmp2, B, *this);
195}
196
197void ExprEngine::VisitBlockExpr(const BlockExpr *BE, ExplodedNode *Pred,
198 ExplodedNodeSet &Dst) {
199
200 CanQualType T = getContext().getCanonicalType(BE->getType());
201
202 const BlockDecl *BD = BE->getBlockDecl();
203 // Get the value of the block itself.
204 SVal V = svalBuilder.getBlockPointer(block: BD, locTy: T,
205 locContext: Pred->getLocationContext(),
206 blockCount: currBldrCtx->blockCount());
207
208 ProgramStateRef State = Pred->getState();
209
210 // If we created a new MemRegion for the block, we should explicitly bind
211 // the captured variables.
212 if (const BlockDataRegion *BDR =
213 dyn_cast_or_null<BlockDataRegion>(Val: V.getAsRegion())) {
214
215 auto ReferencedVars = BDR->referenced_vars();
216 auto CI = BD->capture_begin();
217 auto CE = BD->capture_end();
218 for (auto Var : ReferencedVars) {
219 const VarRegion *capturedR = Var.getCapturedRegion();
220 const TypedValueRegion *originalR = Var.getOriginalRegion();
221
222 // If the capture had a copy expression, use the result of evaluating
223 // that expression, otherwise use the original value.
224 // We rely on the invariant that the block declaration's capture variables
225 // are a prefix of the BlockDataRegion's referenced vars (which may include
226 // referenced globals, etc.) to enable fast lookup of the capture for a
227 // given referenced var.
228 const Expr *copyExpr = nullptr;
229 if (CI != CE) {
230 assert(CI->getVariable() == capturedR->getDecl());
231 copyExpr = CI->getCopyExpr();
232 CI++;
233 }
234
235 if (capturedR != originalR) {
236 SVal originalV;
237 const LocationContext *LCtx = Pred->getLocationContext();
238 if (copyExpr) {
239 originalV = State->getSVal(copyExpr, LCtx);
240 } else {
241 originalV = State->getSVal(loc::MemRegionVal(originalR));
242 }
243 State = State->bindLoc(loc::MemRegionVal(capturedR), originalV, LCtx);
244 }
245 }
246 }
247
248 ExplodedNodeSet Tmp;
249 StmtNodeBuilder Bldr(Pred, Tmp, *currBldrCtx);
250 Bldr.generateNode(BE, Pred,
251 State->BindExpr(BE, Pred->getLocationContext(), V),
252 nullptr, ProgramPoint::PostLValueKind);
253
254 // FIXME: Move all post/pre visits to ::Visit().
255 getCheckerManager().runCheckersForPostStmt(Dst, Tmp, BE, *this);
256}
257
258ProgramStateRef ExprEngine::handleLValueBitCast(
259 ProgramStateRef state, const Expr* Ex, const LocationContext* LCtx,
260 QualType T, QualType ExTy, const CastExpr* CastE, StmtNodeBuilder& Bldr,
261 ExplodedNode* Pred) {
262 if (T->isLValueReferenceType()) {
263 assert(!CastE->getType()->isLValueReferenceType());
264 ExTy = getContext().getLValueReferenceType(T: ExTy);
265 } else if (T->isRValueReferenceType()) {
266 assert(!CastE->getType()->isRValueReferenceType());
267 ExTy = getContext().getRValueReferenceType(T: ExTy);
268 }
269 // Delegate to SValBuilder to process.
270 SVal OrigV = state->getSVal(Ex, LCtx);
271 SVal SimplifiedOrigV = svalBuilder.simplifySVal(State: state, Val: OrigV);
272 SVal V = svalBuilder.evalCast(V: SimplifiedOrigV, CastTy: T, OriginalTy: ExTy);
273 // Negate the result if we're treating the boolean as a signed i1
274 if (CastE->getCastKind() == CK_BooleanToSignedIntegral && V.isValid())
275 V = svalBuilder.evalMinus(val: V.castAs<NonLoc>());
276
277 state = state->BindExpr(CastE, LCtx, V);
278 if (V.isUnknown() && !OrigV.isUnknown()) {
279 state = escapeValues(State: state, Vs: OrigV, K: PSK_EscapeOther);
280 }
281 Bldr.generateNode(CastE, Pred, state);
282
283 return state;
284}
285
286void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex,
287 ExplodedNode *Pred, ExplodedNodeSet &Dst) {
288
289 ExplodedNodeSet DstPreStmt;
290 getCheckerManager().runCheckersForPreStmt(DstPreStmt, Pred, CastE, *this);
291
292 if (CastE->getCastKind() == CK_LValueToRValue) {
293 for (ExplodedNode *Node : DstPreStmt) {
294 ProgramStateRef State = Node->getState();
295 const LocationContext *LCtx = Node->getLocationContext();
296 evalLoad(Dst, CastE, CastE, Node, State, State->getSVal(Ex, LCtx));
297 }
298 return;
299 }
300 if (CastE->getCastKind() == CK_LValueToRValueBitCast) {
301 // Handle `__builtin_bit_cast`:
302 ExplodedNodeSet DstEvalLoc;
303
304 // Simulate the lvalue-to-rvalue conversion on `Ex`:
305 for (ExplodedNode *Node : DstPreStmt) {
306 ProgramStateRef State = Node->getState();
307 const LocationContext *LCtx = Node->getLocationContext();
308 evalLocation(DstEvalLoc, CastE, Ex, Node, State, State->getSVal(Ex, LCtx),
309 true);
310 }
311 // Simulate the operation that actually casts the original value to a new
312 // value of the destination type :
313 StmtNodeBuilder Bldr(DstEvalLoc, Dst, *currBldrCtx);
314
315 for (ExplodedNode *Node : DstEvalLoc) {
316 ProgramStateRef State = Node->getState();
317 const LocationContext *LCtx = Node->getLocationContext();
318 // Although `Ex` is an lvalue, it could have `Loc::ConcreteInt` kind
319 // (e.g., `(int *)123456`). In such cases, there is no MemRegion
320 // available and we can't get the value to be casted.
321 SVal CastedV = UnknownVal();
322
323 if (const MemRegion *MR = State->getSVal(Ex, LCtx).getAsRegion()) {
324 SVal OrigV = State->getSVal(R: MR);
325 CastedV = svalBuilder.evalCast(V: svalBuilder.simplifySVal(State, Val: OrigV),
326 CastTy: CastE->getType(), OriginalTy: Ex->getType());
327 }
328 State = State->BindExpr(CastE, LCtx, CastedV);
329 Bldr.generateNode(CastE, Node, State);
330 }
331 return;
332 }
333
334 // All other casts.
335 QualType T = CastE->getType();
336 QualType ExTy = Ex->getType();
337
338 if (const ExplicitCastExpr *ExCast=dyn_cast_or_null<ExplicitCastExpr>(Val: CastE))
339 T = ExCast->getTypeAsWritten();
340
341 StmtNodeBuilder Bldr(DstPreStmt, Dst, *currBldrCtx);
342 for (ExplodedNode *Pred : DstPreStmt) {
343 ProgramStateRef state = Pred->getState();
344 const LocationContext *LCtx = Pred->getLocationContext();
345
346 switch (CastE->getCastKind()) {
347 case CK_LValueToRValue:
348 case CK_LValueToRValueBitCast:
349 llvm_unreachable("LValueToRValue casts handled earlier.");
350 case CK_ToVoid:
351 continue;
352 // The analyzer doesn't do anything special with these casts,
353 // since it understands retain/release semantics already.
354 case CK_ARCProduceObject:
355 case CK_ARCConsumeObject:
356 case CK_ARCReclaimReturnedObject:
357 case CK_ARCExtendBlockObject: // Fall-through.
358 case CK_CopyAndAutoreleaseBlockObject:
359 // The analyser can ignore atomic casts for now, although some future
360 // checkers may want to make certain that you're not modifying the same
361 // value through atomic and nonatomic pointers.
362 case CK_AtomicToNonAtomic:
363 case CK_NonAtomicToAtomic:
364 // True no-ops.
365 case CK_NoOp:
366 case CK_ConstructorConversion:
367 case CK_UserDefinedConversion:
368 case CK_FunctionToPointerDecay:
369 case CK_BuiltinFnToFnPtr:
370 case CK_HLSLArrayRValue: {
371 // Copy the SVal of Ex to CastE.
372 ProgramStateRef state = Pred->getState();
373 const LocationContext *LCtx = Pred->getLocationContext();
374 SVal V = state->getSVal(Ex, LCtx);
375 state = state->BindExpr(CastE, LCtx, V);
376 Bldr.generateNode(CastE, Pred, state);
377 continue;
378 }
379 case CK_MemberPointerToBoolean:
380 case CK_PointerToBoolean: {
381 SVal V = state->getSVal(Ex, LCtx);
382 auto PTMSV = V.getAs<nonloc::PointerToMember>();
383 if (PTMSV)
384 V = svalBuilder.makeTruthVal(!PTMSV->isNullMemberPointer(), ExTy);
385 if (V.isUndef() || PTMSV) {
386 state = state->BindExpr(CastE, LCtx, V);
387 Bldr.generateNode(CastE, Pred, state);
388 continue;
389 }
390 // Explicitly proceed with default handler for this case cascade.
391 state =
392 handleLValueBitCast(state, Ex, LCtx, T, ExTy, CastE, Bldr, Pred);
393 continue;
394 }
395 case CK_Dependent:
396 case CK_ArrayToPointerDecay:
397 case CK_BitCast:
398 case CK_AddressSpaceConversion:
399 case CK_BooleanToSignedIntegral:
400 case CK_IntegralToPointer:
401 case CK_PointerToIntegral: {
402 SVal V = state->getSVal(Ex, LCtx);
403 if (isa<nonloc::PointerToMember>(Val: V)) {
404 state = state->BindExpr(CastE, LCtx, UnknownVal());
405 Bldr.generateNode(CastE, Pred, state);
406 continue;
407 }
408 // Explicitly proceed with default handler for this case cascade.
409 state =
410 handleLValueBitCast(state, Ex, LCtx, T, ExTy, CastE, Bldr, Pred);
411 continue;
412 }
413 case CK_IntegralToBoolean:
414 case CK_IntegralToFloating:
415 case CK_FloatingToIntegral:
416 case CK_FloatingToBoolean:
417 case CK_FloatingCast:
418 case CK_FloatingRealToComplex:
419 case CK_FloatingComplexToReal:
420 case CK_FloatingComplexToBoolean:
421 case CK_FloatingComplexCast:
422 case CK_FloatingComplexToIntegralComplex:
423 case CK_IntegralRealToComplex:
424 case CK_IntegralComplexToReal:
425 case CK_IntegralComplexToBoolean:
426 case CK_IntegralComplexCast:
427 case CK_IntegralComplexToFloatingComplex:
428 case CK_CPointerToObjCPointerCast:
429 case CK_BlockPointerToObjCPointerCast:
430 case CK_AnyPointerToBlockPointerCast:
431 case CK_ObjCObjectLValueCast:
432 case CK_ZeroToOCLOpaqueType:
433 case CK_IntToOCLSampler:
434 case CK_LValueBitCast:
435 case CK_FloatingToFixedPoint:
436 case CK_FixedPointToFloating:
437 case CK_FixedPointCast:
438 case CK_FixedPointToBoolean:
439 case CK_FixedPointToIntegral:
440 case CK_IntegralToFixedPoint: {
441 state =
442 handleLValueBitCast(state, Ex, LCtx, T, ExTy, CastE, Bldr, Pred);
443 continue;
444 }
445 case CK_IntegralCast: {
446 // Delegate to SValBuilder to process.
447 SVal V = state->getSVal(Ex, LCtx);
448 if (AMgr.options.ShouldSupportSymbolicIntegerCasts)
449 V = svalBuilder.evalCast(V, CastTy: T, OriginalTy: ExTy);
450 else
451 V = svalBuilder.evalIntegralCast(state, val: V, castTy: T, originalType: ExTy);
452 state = state->BindExpr(CastE, LCtx, V);
453 Bldr.generateNode(CastE, Pred, state);
454 continue;
455 }
456 case CK_DerivedToBase:
457 case CK_UncheckedDerivedToBase: {
458 // For DerivedToBase cast, delegate to the store manager.
459 SVal val = state->getSVal(Ex, LCtx);
460 val = getStoreManager().evalDerivedToBase(Derived: val, Cast: CastE);
461 state = state->BindExpr(CastE, LCtx, val);
462 Bldr.generateNode(CastE, Pred, state);
463 continue;
464 }
465 // Handle C++ dyn_cast.
466 case CK_Dynamic: {
467 SVal val = state->getSVal(Ex, LCtx);
468
469 // Compute the type of the result.
470 QualType resultType = CastE->getType();
471 if (CastE->isGLValue())
472 resultType = getContext().getPointerType(T: resultType);
473
474 bool Failed = true;
475
476 // Check if the value being cast does not evaluates to 0.
477 if (!val.isZeroConstant())
478 if (std::optional<SVal> V =
479 StateMgr.getStoreManager().evalBaseToDerived(Base: val, DerivedPtrType: T)) {
480 val = *V;
481 Failed = false;
482 }
483
484 if (Failed) {
485 if (T->isReferenceType()) {
486 // A bad_cast exception is thrown if input value is a reference.
487 // Currently, we model this, by generating a sink.
488 Bldr.generateSink(CastE, Pred, state);
489 continue;
490 } else {
491 // If the cast fails on a pointer, bind to 0.
492 state = state->BindExpr(CastE, LCtx,
493 svalBuilder.makeNullWithType(type: resultType));
494 }
495 } else {
496 // If we don't know if the cast succeeded, conjure a new symbol.
497 if (val.isUnknown()) {
498 DefinedOrUnknownSVal NewSym = svalBuilder.conjureSymbolVal(
499 /*symbolTag=*/nullptr, elem: getCFGElementRef(), LCtx, type: resultType,
500 count: currBldrCtx->blockCount());
501 state = state->BindExpr(CastE, LCtx, NewSym);
502 } else
503 // Else, bind to the derived region value.
504 state = state->BindExpr(CastE, LCtx, val);
505 }
506 Bldr.generateNode(CastE, Pred, state);
507 continue;
508 }
509 case CK_BaseToDerived: {
510 SVal val = state->getSVal(Ex, LCtx);
511 QualType resultType = CastE->getType();
512 if (CastE->isGLValue())
513 resultType = getContext().getPointerType(T: resultType);
514
515 if (!val.isConstant()) {
516 std::optional<SVal> V = getStoreManager().evalBaseToDerived(Base: val, DerivedPtrType: T);
517 val = V ? *V : UnknownVal();
518 }
519
520 // Failed to cast or the result is unknown, fall back to conservative.
521 if (val.isUnknown()) {
522 val = svalBuilder.conjureSymbolVal(
523 /*symbolTag=*/nullptr, elem: getCFGElementRef(), LCtx, type: resultType,
524 count: currBldrCtx->blockCount());
525 }
526 state = state->BindExpr(CastE, LCtx, val);
527 Bldr.generateNode(CastE, Pred, state);
528 continue;
529 }
530 case CK_NullToPointer: {
531 SVal V = svalBuilder.makeNullWithType(type: CastE->getType());
532 state = state->BindExpr(CastE, LCtx, V);
533 Bldr.generateNode(CastE, Pred, state);
534 continue;
535 }
536 case CK_NullToMemberPointer: {
537 SVal V = svalBuilder.getMemberPointer(ND: nullptr);
538 state = state->BindExpr(CastE, LCtx, V);
539 Bldr.generateNode(CastE, Pred, state);
540 continue;
541 }
542 case CK_DerivedToBaseMemberPointer:
543 case CK_BaseToDerivedMemberPointer:
544 case CK_ReinterpretMemberPointer: {
545 SVal V = state->getSVal(Ex, LCtx);
546 if (auto PTMSV = V.getAs<nonloc::PointerToMember>()) {
547 SVal CastedPTMSV =
548 svalBuilder.makePointerToMember(getBasicVals().accumCXXBase(
549 PathRange: CastE->path(), PTM: *PTMSV, kind: CastE->getCastKind()));
550 state = state->BindExpr(CastE, LCtx, CastedPTMSV);
551 Bldr.generateNode(CastE, Pred, state);
552 continue;
553 }
554 // Explicitly proceed with default handler for this case cascade.
555 }
556 [[fallthrough]];
557 // Various C++ casts that are not handled yet.
558 case CK_ToUnion:
559 case CK_MatrixCast:
560 case CK_VectorSplat:
561 case CK_HLSLElementwiseCast:
562 case CK_HLSLAggregateSplatCast:
563 case CK_HLSLVectorTruncation: {
564 QualType resultType = CastE->getType();
565 if (CastE->isGLValue())
566 resultType = getContext().getPointerType(T: resultType);
567 SVal result = svalBuilder.conjureSymbolVal(
568 /*symbolTag=*/nullptr, elem: getCFGElementRef(), LCtx, type: resultType,
569 count: currBldrCtx->blockCount());
570 state = state->BindExpr(CastE, LCtx, result);
571 Bldr.generateNode(CastE, Pred, state);
572 continue;
573 }
574 }
575 }
576}
577
578void ExprEngine::VisitCompoundLiteralExpr(const CompoundLiteralExpr *CL,
579 ExplodedNode *Pred,
580 ExplodedNodeSet &Dst) {
581 StmtNodeBuilder B(Pred, Dst, *currBldrCtx);
582
583 ProgramStateRef State = Pred->getState();
584 const LocationContext *LCtx = Pred->getLocationContext();
585
586 const Expr *Init = CL->getInitializer();
587 SVal V = State->getSVal(CL->getInitializer(), LCtx);
588
589 if (isa<CXXConstructExpr, CXXStdInitializerListExpr>(Val: Init)) {
590 // No work needed. Just pass the value up to this expression.
591 } else {
592 assert(isa<InitListExpr>(Init));
593 Loc CLLoc = State->getLValue(literal: CL, LC: LCtx);
594 State = State->bindLoc(location: CLLoc, V, LCtx);
595
596 if (CL->isGLValue())
597 V = CLLoc;
598 }
599
600 B.generateNode(CL, Pred, State->BindExpr(CL, LCtx, V));
601}
602
603void ExprEngine::VisitDeclStmt(const DeclStmt *DS, ExplodedNode *Pred,
604 ExplodedNodeSet &Dst) {
605 if (isa<TypedefNameDecl>(Val: *DS->decl_begin())) {
606 // C99 6.7.7 "Any array size expressions associated with variable length
607 // array declarators are evaluated each time the declaration of the typedef
608 // name is reached in the order of execution."
609 // The checkers should know about typedef to be able to handle VLA size
610 // expressions.
611 ExplodedNodeSet DstPre;
612 getCheckerManager().runCheckersForPreStmt(Dst&: DstPre, Src: Pred, S: DS, Eng&: *this);
613 getCheckerManager().runCheckersForPostStmt(Dst, Src: DstPre, S: DS, Eng&: *this);
614 return;
615 }
616
617 // Assumption: The CFG has one DeclStmt per Decl.
618 const VarDecl *VD = dyn_cast_or_null<VarDecl>(Val: *DS->decl_begin());
619
620 if (!VD) {
621 //TODO:AZ: remove explicit insertion after refactoring is done.
622 Dst.insert(S: Pred);
623 return;
624 }
625
626 // FIXME: all pre/post visits should eventually be handled by ::Visit().
627 ExplodedNodeSet dstPreVisit;
628 getCheckerManager().runCheckersForPreStmt(Dst&: dstPreVisit, Src: Pred, S: DS, Eng&: *this);
629
630 ExplodedNodeSet dstEvaluated;
631 StmtNodeBuilder B(dstPreVisit, dstEvaluated, *currBldrCtx);
632 for (ExplodedNodeSet::iterator I = dstPreVisit.begin(), E = dstPreVisit.end();
633 I!=E; ++I) {
634 ExplodedNode *N = *I;
635 ProgramStateRef state = N->getState();
636 const LocationContext *LC = N->getLocationContext();
637
638 // Decls without InitExpr are not initialized explicitly.
639 if (const Expr *InitEx = VD->getInit()) {
640
641 // Note in the state that the initialization has occurred.
642 ExplodedNode *UpdatedN = N;
643 SVal InitVal = state->getSVal(InitEx, LC);
644
645 assert(DS->isSingleDecl());
646 if (getObjectUnderConstruction(State: state, Item: DS, LC)) {
647 state = finishObjectConstruction(State: state, Item: DS, LC);
648 // We constructed the object directly in the variable.
649 // No need to bind anything.
650 B.generateNode(S: DS, Pred: UpdatedN, St: state);
651 } else {
652 // Recover some path-sensitivity if a scalar value evaluated to
653 // UnknownVal.
654 if (InitVal.isUnknown()) {
655 QualType Ty = InitEx->getType();
656 if (InitEx->isGLValue()) {
657 Ty = getContext().getPointerType(T: Ty);
658 }
659
660 InitVal = svalBuilder.conjureSymbolVal(
661 /*symbolTag=*/nullptr, elem: getCFGElementRef(), LCtx: LC, type: Ty,
662 count: currBldrCtx->blockCount());
663 }
664
665
666 B.takeNodes(N: UpdatedN);
667 ExplodedNodeSet Dst2;
668 evalBind(Dst&: Dst2, StoreE: DS, Pred: UpdatedN, location: state->getLValue(VD, LC), Val: InitVal, atDeclInit: true);
669 B.addNodes(S: Dst2);
670 }
671 }
672 else {
673 B.generateNode(S: DS, Pred: N, St: state);
674 }
675 }
676
677 getCheckerManager().runCheckersForPostStmt(Dst, Src: B.getResults(), S: DS, Eng&: *this);
678}
679
680void ExprEngine::VisitLogicalExpr(const BinaryOperator* B, ExplodedNode *Pred,
681 ExplodedNodeSet &Dst) {
682 // This method acts upon CFG elements for logical operators && and ||
683 // and attaches the value (true or false) to them as expressions.
684 // It doesn't produce any state splits.
685 // If we made it that far, we're past the point when we modeled the short
686 // circuit. It means that we should have precise knowledge about whether
687 // we've short-circuited. If we did, we already know the value we need to
688 // bind. If we didn't, the value of the RHS (casted to the boolean type)
689 // is the answer.
690 // Currently this method tries to figure out whether we've short-circuited
691 // by looking at the ExplodedGraph. This method is imperfect because there
692 // could inevitably have been merges that would have resulted in multiple
693 // potential path traversal histories. We bail out when we fail.
694 // Due to this ambiguity, a more reliable solution would have been to
695 // track the short circuit operation history path-sensitively until
696 // we evaluate the respective logical operator.
697 assert(B->getOpcode() == BO_LAnd ||
698 B->getOpcode() == BO_LOr);
699
700 StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
701 ProgramStateRef state = Pred->getState();
702
703 if (B->getType()->isVectorType()) {
704 // FIXME: We do not model vector arithmetic yet. When adding support for
705 // that, note that the CFG-based reasoning below does not apply, because
706 // logical operators on vectors are not short-circuit. Currently they are
707 // modeled as short-circuit in Clang CFG but this is incorrect.
708 // Do not set the value for the expression. It'd be UnknownVal by default.
709 Bldr.generateNode(B, Pred, state);
710 return;
711 }
712
713 ExplodedNode *N = Pred;
714 while (!N->getLocation().getAs<BlockEdge>()) {
715 ProgramPoint P = N->getLocation();
716 assert(P.getAs<PreStmt>() || P.getAs<PreStmtPurgeDeadSymbols>() ||
717 P.getAs<BlockEntrance>());
718 (void) P;
719 if (N->pred_size() != 1) {
720 // We failed to track back where we came from.
721 Bldr.generateNode(B, Pred, state);
722 return;
723 }
724 N = *N->pred_begin();
725 }
726
727 if (N->pred_size() != 1) {
728 // We failed to track back where we came from.
729 Bldr.generateNode(B, Pred, state);
730 return;
731 }
732
733 BlockEdge BE = N->getLocation().castAs<BlockEdge>();
734 SVal X;
735
736 // Determine the value of the expression by introspecting how we
737 // got this location in the CFG. This requires looking at the previous
738 // block we were in and what kind of control-flow transfer was involved.
739 const CFGBlock *SrcBlock = BE.getSrc();
740 // The only terminator (if there is one) that makes sense is a logical op.
741 CFGTerminator T = SrcBlock->getTerminator();
742 if (const BinaryOperator *Term = cast_or_null<BinaryOperator>(Val: T.getStmt())) {
743 (void) Term;
744 assert(Term->isLogicalOp());
745 assert(SrcBlock->succ_size() == 2);
746 // Did we take the true or false branch?
747 unsigned constant = (*SrcBlock->succ_begin() == BE.getDst()) ? 1 : 0;
748 X = svalBuilder.makeIntVal(constant, B->getType());
749 }
750 else {
751 // If there is no terminator, by construction the last statement
752 // in SrcBlock is the value of the enclosing expression.
753 // However, we still need to constrain that value to be 0 or 1.
754 assert(!SrcBlock->empty());
755 CFGStmt Elem = SrcBlock->rbegin()->castAs<CFGStmt>();
756 const Expr *RHS = cast<Expr>(Val: Elem.getStmt());
757 SVal RHSVal = N->getState()->getSVal(RHS, Pred->getLocationContext());
758
759 if (RHSVal.isUndef()) {
760 X = RHSVal;
761 } else {
762 // We evaluate "RHSVal != 0" expression which result in 0 if the value is
763 // known to be false, 1 if the value is known to be true and a new symbol
764 // when the assumption is unknown.
765 nonloc::ConcreteInt Zero(getBasicVals().getValue(0, B->getType()));
766 X = evalBinOp(ST: N->getState(), Op: BO_NE,
767 LHS: svalBuilder.evalCast(V: RHSVal, CastTy: B->getType(), OriginalTy: RHS->getType()),
768 RHS: Zero, T: B->getType());
769 }
770 }
771 Bldr.generateNode(B, Pred, state->BindExpr(B, Pred->getLocationContext(), X));
772}
773
774void ExprEngine::VisitInitListExpr(const InitListExpr *IE,
775 ExplodedNode *Pred,
776 ExplodedNodeSet &Dst) {
777 StmtNodeBuilder B(Pred, Dst, *currBldrCtx);
778
779 ProgramStateRef state = Pred->getState();
780 const LocationContext *LCtx = Pred->getLocationContext();
781 QualType T = getContext().getCanonicalType(IE->getType());
782 unsigned NumInitElements = IE->getNumInits();
783
784 if (!IE->isGLValue() && !IE->isTransparent() &&
785 (T->isArrayType() || T->isRecordType() || T->isVectorType() ||
786 T->isAnyComplexType())) {
787 llvm::ImmutableList<SVal> vals = getBasicVals().getEmptySValList();
788
789 // Handle base case where the initializer has no elements.
790 // e.g: static int* myArray[] = {};
791 if (NumInitElements == 0) {
792 SVal V = svalBuilder.makeCompoundVal(type: T, vals);
793 B.generateNode(IE, Pred, state->BindExpr(IE, LCtx, V));
794 return;
795 }
796
797 for (const Stmt *S : llvm::reverse(C: *IE)) {
798 SVal V = state->getSVal(cast<Expr>(Val: S), LCtx);
799 vals = getBasicVals().prependSVal(X: V, L: vals);
800 }
801
802 B.generateNode(IE, Pred,
803 state->BindExpr(IE, LCtx,
804 svalBuilder.makeCompoundVal(type: T, vals)));
805 return;
806 }
807
808 // Handle scalars: int{5} and int{} and GLvalues.
809 // Note, if the InitListExpr is a GLvalue, it means that there is an address
810 // representing it, so it must have a single init element.
811 assert(NumInitElements <= 1);
812
813 SVal V;
814 if (NumInitElements == 0)
815 V = getSValBuilder().makeZeroVal(type: T);
816 else
817 V = state->getSVal(IE->getInit(Init: 0), LCtx);
818
819 B.generateNode(IE, Pred, state->BindExpr(IE, LCtx, V));
820}
821
822void ExprEngine::VisitGuardedExpr(const Expr *Ex,
823 const Expr *L,
824 const Expr *R,
825 ExplodedNode *Pred,
826 ExplodedNodeSet &Dst) {
827 assert(L && R);
828
829 StmtNodeBuilder B(Pred, Dst, *currBldrCtx);
830 ProgramStateRef state = Pred->getState();
831 const LocationContext *LCtx = Pred->getLocationContext();
832 const CFGBlock *SrcBlock = nullptr;
833
834 // Find the predecessor block.
835 ProgramStateRef SrcState = state;
836 for (const ExplodedNode *N = Pred ; N ; N = *N->pred_begin()) {
837 auto Edge = N->getLocationAs<BlockEdge>();
838 if (!Edge.has_value()) {
839 // If the state N has multiple predecessors P, it means that successors
840 // of P are all equivalent.
841 // In turn, that means that all nodes at P are equivalent in terms
842 // of observable behavior at N, and we can follow any of them.
843 // FIXME: a more robust solution which does not walk up the tree.
844 continue;
845 }
846 SrcBlock = Edge->getSrc();
847 SrcState = N->getState();
848 break;
849 }
850
851 assert(SrcBlock && "missing function entry");
852
853 // Find the last expression in the predecessor block. That is the
854 // expression that is used for the value of the ternary expression.
855 bool hasValue = false;
856 SVal V;
857
858 for (CFGElement CE : llvm::reverse(C: *SrcBlock)) {
859 if (std::optional<CFGStmt> CS = CE.getAs<CFGStmt>()) {
860 const Expr *ValEx = cast<Expr>(Val: CS->getStmt());
861 ValEx = ValEx->IgnoreParens();
862
863 // For GNU extension '?:' operator, the left hand side will be an
864 // OpaqueValueExpr, so get the underlying expression.
865 if (const OpaqueValueExpr *OpaqueEx = dyn_cast<OpaqueValueExpr>(Val: L))
866 L = OpaqueEx->getSourceExpr();
867
868 // If the last expression in the predecessor block matches true or false
869 // subexpression, get its the value.
870 if (ValEx == L->IgnoreParens() || ValEx == R->IgnoreParens()) {
871 hasValue = true;
872 V = SrcState->getSVal(ValEx, LCtx);
873 }
874 break;
875 }
876 }
877
878 if (!hasValue)
879 V = svalBuilder.conjureSymbolVal(symbolTag: nullptr, elem: getCFGElementRef(), LCtx,
880 count: currBldrCtx->blockCount());
881
882 // Generate a new node with the binding from the appropriate path.
883 B.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V, true));
884}
885
886void ExprEngine::
887VisitOffsetOfExpr(const OffsetOfExpr *OOE,
888 ExplodedNode *Pred, ExplodedNodeSet &Dst) {
889 StmtNodeBuilder B(Pred, Dst, *currBldrCtx);
890 Expr::EvalResult Result;
891 if (OOE->EvaluateAsInt(Result, getContext())) {
892 APSInt IV = Result.Val.getInt();
893 assert(IV.getBitWidth() == getContext().getTypeSize(OOE->getType()));
894 assert(OOE->getType()->castAs<BuiltinType>()->isInteger());
895 assert(IV.isSigned() == OOE->getType()->isSignedIntegerType());
896 SVal X = svalBuilder.makeIntVal(integer: IV);
897 B.generateNode(OOE, Pred,
898 Pred->getState()->BindExpr(OOE, Pred->getLocationContext(),
899 X));
900 }
901 // FIXME: Handle the case where __builtin_offsetof is not a constant.
902}
903
904
905void ExprEngine::
906VisitUnaryExprOrTypeTraitExpr(const UnaryExprOrTypeTraitExpr *Ex,
907 ExplodedNode *Pred,
908 ExplodedNodeSet &Dst) {
909 // FIXME: Prechecks eventually go in ::Visit().
910 ExplodedNodeSet CheckedSet;
911 getCheckerManager().runCheckersForPreStmt(CheckedSet, Pred, Ex, *this);
912
913 ExplodedNodeSet EvalSet;
914 StmtNodeBuilder Bldr(CheckedSet, EvalSet, *currBldrCtx);
915
916 QualType T = Ex->getTypeOfArgument();
917
918 for (ExplodedNode *N : CheckedSet) {
919 if (Ex->getKind() == UETT_SizeOf) {
920 if (!T->isIncompleteType() && !T->isConstantSizeType()) {
921 assert(T->isVariableArrayType() && "Unknown non-constant-sized type.");
922
923 // FIXME: Add support for VLA type arguments and VLA expressions.
924 // When that happens, we should probably refactor VLASizeChecker's code.
925 continue;
926 } else if (T->getAs<ObjCObjectType>()) {
927 // Some code tries to take the sizeof an ObjCObjectType, relying that
928 // the compiler has laid out its representation. Just report Unknown
929 // for these.
930 continue;
931 }
932 }
933
934 APSInt Value = Ex->EvaluateKnownConstInt(getContext());
935 CharUnits amt = CharUnits::fromQuantity(Quantity: Value.getZExtValue());
936
937 ProgramStateRef state = N->getState();
938 state = state->BindExpr(
939 S: Ex, LCtx: N->getLocationContext(),
940 V: svalBuilder.makeIntVal(amt.getQuantity(), Ex->getType()));
941 Bldr.generateNode(Ex, N, state);
942 }
943
944 getCheckerManager().runCheckersForPostStmt(Dst, EvalSet, Ex, *this);
945}
946
947void ExprEngine::handleUOExtension(ExplodedNode *N, const UnaryOperator *U,
948 StmtNodeBuilder &Bldr) {
949 // FIXME: We can probably just have some magic in Environment::getSVal()
950 // that propagates values, instead of creating a new node here.
951 //
952 // Unary "+" is a no-op, similar to a parentheses. We still have places
953 // where it may be a block-level expression, so we need to
954 // generate an extra node that just propagates the value of the
955 // subexpression.
956 const Expr *Ex = U->getSubExpr()->IgnoreParens();
957 ProgramStateRef state = N->getState();
958 const LocationContext *LCtx = N->getLocationContext();
959 Bldr.generateNode(U, N, state->BindExpr(U, LCtx, state->getSVal(Ex, LCtx)));
960}
961
962void ExprEngine::VisitUnaryOperator(const UnaryOperator* U, ExplodedNode *Pred,
963 ExplodedNodeSet &Dst) {
964 // FIXME: Prechecks eventually go in ::Visit().
965 ExplodedNodeSet CheckedSet;
966 getCheckerManager().runCheckersForPreStmt(CheckedSet, Pred, U, *this);
967
968 ExplodedNodeSet EvalSet;
969 StmtNodeBuilder Bldr(CheckedSet, EvalSet, *currBldrCtx);
970
971 for (ExplodedNode *N : CheckedSet) {
972 switch (U->getOpcode()) {
973 default: {
974 Bldr.takeNodes(N);
975 ExplodedNodeSet Tmp;
976 VisitIncrementDecrementOperator(U, Pred: N, Dst&: Tmp);
977 Bldr.addNodes(S: Tmp);
978 break;
979 }
980 case UO_Real: {
981 const Expr *Ex = U->getSubExpr()->IgnoreParens();
982
983 // FIXME: We don't have complex SValues yet.
984 if (Ex->getType()->isAnyComplexType()) {
985 // Just report "Unknown."
986 break;
987 }
988
989 // For all other types, UO_Real is an identity operation.
990 assert (U->getType() == Ex->getType());
991 ProgramStateRef state = N->getState();
992 const LocationContext *LCtx = N->getLocationContext();
993 Bldr.generateNode(U, N,
994 state->BindExpr(U, LCtx, state->getSVal(Ex, LCtx)));
995 break;
996 }
997
998 case UO_Imag: {
999 const Expr *Ex = U->getSubExpr()->IgnoreParens();
1000 // FIXME: We don't have complex SValues yet.
1001 if (Ex->getType()->isAnyComplexType()) {
1002 // Just report "Unknown."
1003 break;
1004 }
1005 // For all other types, UO_Imag returns 0.
1006 ProgramStateRef state = N->getState();
1007 const LocationContext *LCtx = N->getLocationContext();
1008 SVal X = svalBuilder.makeZeroVal(type: Ex->getType());
1009 Bldr.generateNode(U, N, state->BindExpr(U, LCtx, X));
1010 break;
1011 }
1012
1013 case UO_AddrOf: {
1014 // Process pointer-to-member address operation.
1015 const Expr *Ex = U->getSubExpr()->IgnoreParens();
1016 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(Val: Ex)) {
1017 const ValueDecl *VD = DRE->getDecl();
1018
1019 if (isa<CXXMethodDecl, FieldDecl, IndirectFieldDecl>(Val: VD)) {
1020 ProgramStateRef State = N->getState();
1021 const LocationContext *LCtx = N->getLocationContext();
1022 SVal SV = svalBuilder.getMemberPointer(ND: cast<NamedDecl>(Val: VD));
1023 Bldr.generateNode(U, N, State->BindExpr(U, LCtx, SV));
1024 break;
1025 }
1026 }
1027 // Explicitly proceed with default handler for this case cascade.
1028 handleUOExtension(N, U, Bldr);
1029 break;
1030 }
1031 case UO_Plus:
1032 assert(!U->isGLValue());
1033 [[fallthrough]];
1034 case UO_Deref:
1035 case UO_Extension: {
1036 handleUOExtension(N, U, Bldr);
1037 break;
1038 }
1039
1040 case UO_LNot:
1041 case UO_Minus:
1042 case UO_Not: {
1043 assert (!U->isGLValue());
1044 const Expr *Ex = U->getSubExpr()->IgnoreParens();
1045 ProgramStateRef state = N->getState();
1046 const LocationContext *LCtx = N->getLocationContext();
1047
1048 // Get the value of the subexpression.
1049 SVal V = state->getSVal(Ex, LCtx);
1050
1051 if (V.isUnknownOrUndef()) {
1052 Bldr.generateNode(U, N, state->BindExpr(U, LCtx, V));
1053 break;
1054 }
1055
1056 switch (U->getOpcode()) {
1057 default:
1058 llvm_unreachable("Invalid Opcode.");
1059 case UO_Not:
1060 // FIXME: Do we need to handle promotions?
1061 state = state->BindExpr(
1062 U, LCtx, svalBuilder.evalComplement(val: V.castAs<NonLoc>()));
1063 break;
1064 case UO_Minus:
1065 // FIXME: Do we need to handle promotions?
1066 state = state->BindExpr(U, LCtx,
1067 svalBuilder.evalMinus(val: V.castAs<NonLoc>()));
1068 break;
1069 case UO_LNot:
1070 // C99 6.5.3.3: "The expression !E is equivalent to (0==E)."
1071 //
1072 // Note: technically we do "E == 0", but this is the same in the
1073 // transfer functions as "0 == E".
1074 SVal Result;
1075 if (std::optional<Loc> LV = V.getAs<Loc>()) {
1076 Loc X = svalBuilder.makeNullWithType(type: Ex->getType());
1077 Result = evalBinOp(ST: state, Op: BO_EQ, LHS: *LV, RHS: X, T: U->getType());
1078 } else if (Ex->getType()->isFloatingType()) {
1079 // FIXME: handle floating point types.
1080 Result = UnknownVal();
1081 } else {
1082 nonloc::ConcreteInt X(getBasicVals().getValue(X: 0, T: Ex->getType()));
1083 Result = evalBinOp(ST: state, Op: BO_EQ, LHS: V.castAs<NonLoc>(), RHS: X, T: U->getType());
1084 }
1085
1086 state = state->BindExpr(U, LCtx, Result);
1087 break;
1088 }
1089 Bldr.generateNode(U, N, state);
1090 break;
1091 }
1092 }
1093 }
1094
1095 getCheckerManager().runCheckersForPostStmt(Dst, EvalSet, U, *this);
1096}
1097
1098void ExprEngine::VisitIncrementDecrementOperator(const UnaryOperator* U,
1099 ExplodedNode *Pred,
1100 ExplodedNodeSet &Dst) {
1101 // Handle ++ and -- (both pre- and post-increment).
1102 assert (U->isIncrementDecrementOp());
1103 const Expr *Ex = U->getSubExpr()->IgnoreParens();
1104
1105 const LocationContext *LCtx = Pred->getLocationContext();
1106 ProgramStateRef state = Pred->getState();
1107 SVal loc = state->getSVal(Ex, LCtx);
1108
1109 // Perform a load.
1110 ExplodedNodeSet Tmp;
1111 evalLoad(Tmp, U, Ex, Pred, state, loc);
1112
1113 ExplodedNodeSet Dst2;
1114 StmtNodeBuilder Bldr(Tmp, Dst2, *currBldrCtx);
1115 for (ExplodedNode *N : Tmp) {
1116 state = N->getState();
1117 assert(LCtx == N->getLocationContext());
1118 SVal V2_untested = state->getSVal(Ex, LCtx);
1119
1120 // Propagate unknown and undefined values.
1121 if (V2_untested.isUnknownOrUndef()) {
1122 state = state->BindExpr(U, LCtx, V2_untested);
1123
1124 // Perform the store, so that the uninitialized value detection happens.
1125 Bldr.takeNodes(N);
1126 ExplodedNodeSet Dst3;
1127 evalStore(Dst3, U, Ex, N, state, loc, V2_untested);
1128 Bldr.addNodes(S: Dst3);
1129
1130 continue;
1131 }
1132 DefinedSVal V2 = V2_untested.castAs<DefinedSVal>();
1133
1134 // Handle all other values.
1135 BinaryOperator::Opcode Op = U->isIncrementOp() ? BO_Add : BO_Sub;
1136
1137 // If the UnaryOperator has non-location type, use its type to create the
1138 // constant value. If the UnaryOperator has location type, create the
1139 // constant with int type and pointer width.
1140 SVal RHS;
1141 SVal Result;
1142
1143 if (U->getType()->isAnyPointerType())
1144 RHS = svalBuilder.makeArrayIndex(idx: 1);
1145 else if (U->getType()->isIntegralOrEnumerationType())
1146 RHS = svalBuilder.makeIntVal(1, U->getType());
1147 else
1148 RHS = UnknownVal();
1149
1150 // The use of an operand of type bool with the ++ operators is deprecated
1151 // but valid until C++17. And if the operand of the ++ operator is of type
1152 // bool, it is set to true until C++17. Note that for '_Bool', it is also
1153 // set to true when it encounters ++ operator.
1154 if (U->getType()->isBooleanType() && U->isIncrementOp())
1155 Result = svalBuilder.makeTruthVal(true, U->getType());
1156 else
1157 Result = evalBinOp(ST: state, Op, LHS: V2, RHS, T: U->getType());
1158
1159 // Conjure a new symbol if necessary to recover precision.
1160 if (Result.isUnknown()){
1161 DefinedOrUnknownSVal SymVal = svalBuilder.conjureSymbolVal(
1162 /*symbolTag=*/nullptr, elem: getCFGElementRef(), LCtx,
1163 count: currBldrCtx->blockCount());
1164 Result = SymVal;
1165
1166 // If the value is a location, ++/-- should always preserve
1167 // non-nullness. Check if the original value was non-null, and if so
1168 // propagate that constraint.
1169 if (Loc::isLocType(T: U->getType())) {
1170 DefinedOrUnknownSVal Constraint =
1171 svalBuilder.evalEQ(state, V2,svalBuilder.makeZeroVal(type: U->getType()));
1172
1173 if (!state->assume(Cond: Constraint, Assumption: true)) {
1174 // It isn't feasible for the original value to be null.
1175 // Propagate this constraint.
1176 Constraint = svalBuilder.evalEQ(state, SymVal,
1177 svalBuilder.makeZeroVal(type: U->getType()));
1178
1179 state = state->assume(Cond: Constraint, Assumption: false);
1180 assert(state);
1181 }
1182 }
1183 }
1184
1185 // Since the lvalue-to-rvalue conversion is explicit in the AST,
1186 // we bind an l-value if the operator is prefix and an lvalue (in C++).
1187 if (U->isGLValue())
1188 state = state->BindExpr(U, LCtx, loc);
1189 else
1190 state = state->BindExpr(U, LCtx, U->isPostfix() ? V2 : Result);
1191
1192 // Perform the store.
1193 Bldr.takeNodes(N);
1194 ExplodedNodeSet Dst3;
1195 evalStore(Dst3, U, Ex, N, state, loc, Result);
1196 Bldr.addNodes(S: Dst3);
1197 }
1198 Dst.insert(S: Dst2);
1199}
1200

Provided by KDAB

Privacy Policy
Improve your Profiling and Debugging skills
Find out more

source code of clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp