RangedConstraintManager.cpp source code [clang/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp]

1	//== RangedConstraintManager.cpp --------------------------------- C++ ---==//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8	//
9	// This file defines RangedConstraintManager, a class that provides a
10	// range-based constraint manager interface.
11	//
12	//===----------------------------------------------------------------------===//
13
14	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
15	#include "clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h"
16
17	namespace clang {
18
19	namespace ento {
20
21	RangedConstraintManager::~RangedConstraintManager() {}
22
23	ProgramStateRef RangedConstraintManager::assumeSym(ProgramStateRef State,
24	SymbolRef Sym,
25	bool Assumption) {
26	Sym = simplify(State, Sym);
27
28	// Handle SymbolData.
29	if (isa<SymbolData>(Val: Sym))
30	return assumeSymUnsupported(State, Sym, Assumption);
31
32	// Handle symbolic expression.
33	if (const SymIntExpr *SIE = dyn_cast<SymIntExpr>(Val: Sym)) {
34	// We can only simplify expressions whose RHS is an integer.
35
36	BinaryOperator::Opcode op = SIE->getOpcode();
37	if (BinaryOperator::isComparisonOp(Opc: op) && op != BO_Cmp) {
38	if (!Assumption)
39	op = BinaryOperator::negateComparisonOp(Opc: op);
40
41	return assumeSymRel(State, Sym: SIE->getLHS(), op, Int: SIE->getRHS());
42	}
43
44	// Handle adjustment with non-comparison ops.
45	const llvm::APSInt &Zero = getBasicVals().getValue(`0`, SIE->getType());
46	return assumeSymRel(State, SIE, (Assumption ? BO_NE : BO_EQ), Zero);
47	}
48
49	if (const auto *SSE = dyn_cast<SymSymExpr>(Val: Sym)) {
50	BinaryOperator::Opcode Op = SSE->getOpcode();
51	if (BinaryOperator::isComparisonOp(Opc: Op)) {
52
53	// We convert equality operations for pointers only.
54	if (Loc::isLocType(T: SSE->getLHS()->getType()) &&
55	Loc::isLocType(T: SSE->getRHS()->getType())) {
56	// Translate "a != b" to "(b - a) != 0".
57	// We invert the order of the operands as a heuristic for how loop
58	// conditions are usually written ("begin != end") as compared to length
59	// calculations ("end - begin"). The more correct thing to do would be
60	// to canonicalize "a - b" and "b - a", which would allow us to treat
61	// "a != b" and "b != a" the same.
62
63	SymbolManager &SymMgr = getSymbolManager();
64	QualType DiffTy = SymMgr.getContext().getPointerDiffType();
65	SymbolRef Subtraction =
66	SymMgr.getSymSymExpr(lhs: SSE->getRHS(), op: BO_Sub, rhs: SSE->getLHS(), t: DiffTy);
67
68	const llvm::APSInt &Zero = getBasicVals().getValue(X: `0`, T: DiffTy);
69	Op = BinaryOperator::reverseComparisonOp(Opc: Op);
70	if (!Assumption)
71	Op = BinaryOperator::negateComparisonOp(Opc: Op);
72	return assumeSymRel(State, Sym: Subtraction, op: Op, Int: Zero);
73	}
74
75	if (BinaryOperator::isEqualityOp(Opc: Op)) {
76	SymbolManager &SymMgr = getSymbolManager();
77
78	QualType ExprType = SSE->getType();
79	SymbolRef CanonicalEquality =
80	SymMgr.getSymSymExpr(lhs: SSE->getLHS(), op: BO_EQ, rhs: SSE->getRHS(), t: ExprType);
81
82	bool WasEqual = SSE->getOpcode() == BO_EQ;
83	bool IsExpectedEqual = WasEqual == Assumption;
84
85	const llvm::APSInt &Zero = getBasicVals().getValue(X: `0`, T: ExprType);
86
87	if (IsExpectedEqual) {
88	return assumeSymNE(State, Sym: CanonicalEquality, V: Zero, Adjustment: Zero);
89	}
90
91	return assumeSymEQ(State, Sym: CanonicalEquality, V: Zero, Adjustment: Zero);
92	}
93	}
94	}
95
96	// If we get here, there's nothing else we can do but treat the symbol as
97	// opaque.
98	return assumeSymUnsupported(State, Sym, Assumption);
99	}
100
101	ProgramStateRef RangedConstraintManager::assumeSymInclusiveRange(
102	ProgramStateRef State, SymbolRef Sym, const llvm::APSInt &From,
103	const llvm::APSInt &To, bool InRange) {
104
105	Sym = simplify(State, Sym);
106
107	// Get the type used for calculating wraparound.
108	BasicValueFactory &BVF = getBasicVals();
109	APSIntType WraparoundType = BVF.getAPSIntType(T: Sym->getType());
110
111	llvm::APSInt Adjustment = WraparoundType.getZeroValue();
112	SymbolRef AdjustedSym = Sym;
113	computeAdjustment(Sym&: AdjustedSym, Adjustment);
114
115	// Convert the right-hand side integer as necessary.
116	APSIntType ComparisonType = std::max(a: WraparoundType, b: APSIntType (From));
117	llvm::APSInt ConvertedFrom = ComparisonType.convert(Value: From);
118	llvm::APSInt ConvertedTo = ComparisonType.convert(Value: To);
119
120	// Prefer unsigned comparisons.
121	if (ComparisonType.getBitWidth() == WraparoundType.getBitWidth() &&
122	ComparisonType.isUnsigned() && !WraparoundType.isUnsigned())
123	Adjustment.setIsSigned(false);
124
125	if (InRange)
126	return assumeSymWithinInclusiveRange(State, Sym: AdjustedSym, From: ConvertedFrom,
127	To: ConvertedTo, Adjustment);
128	return assumeSymOutsideInclusiveRange(State, Sym: AdjustedSym, From: ConvertedFrom,
129	To: ConvertedTo, Adjustment);
130	}
131
132	ProgramStateRef
133	RangedConstraintManager::assumeSymUnsupported(ProgramStateRef State,
134	SymbolRef Sym, bool Assumption) {
135	Sym = simplify(State, Sym);
136
137	BasicValueFactory &BVF = getBasicVals();
138	QualType T = Sym->getType();
139
140	// Non-integer types are not supported.
141	if (!T ->isIntegralOrEnumerationType())
142	return State;
143
144	// Reverse the operation and add directly to state.
145	const llvm::APSInt &Zero = BVF.getValue(X: `0`, T);
146	if (Assumption)
147	return assumeSymNE(State, Sym, V: Zero, Adjustment: Zero);
148	else
149	return assumeSymEQ(State, Sym, V: Zero, Adjustment: Zero);
150	}
151
152	ProgramStateRef RangedConstraintManager::assumeSymRel(ProgramStateRef State,
153	SymbolRef Sym,
154	BinaryOperator::Opcode Op,
155	const llvm::APSInt &Int) {
156	assert(BinaryOperator::isComparisonOp(Op) &&
157	"Non-comparison ops should be rewritten as comparisons to zero.");
158
159	// Simplification: translate an assume of a constraint of the form
160	// "(exp comparison_op expr) != 0" to true into an assume of
161	// "exp comparison_op expr" to true. (And similarly, an assume of the form
162	// "(exp comparison_op expr) == 0" to true into an assume of
163	// "exp comparison_op expr" to false.)
164	if (Int == `0` && (Op == BO_EQ \|\| Op == BO_NE)) {
165	if (const BinarySymExpr *SE = dyn_cast<BinarySymExpr>(Val: Sym))
166	if (BinaryOperator::isComparisonOp(Opc: SE->getOpcode()))
167	return assumeSym(State, Sym, Assumption: (Op == BO_NE ? true : false));
168	}
169
170	// Get the type used for calculating wraparound.
171	BasicValueFactory &BVF = getBasicVals();
172	APSIntType WraparoundType = BVF.getAPSIntType(T: Sym->getType());
173
174	// We only handle simple comparisons of the form "$sym == constant"
175	// or "($sym+constant1) == constant2".
176	// The adjustment is "constant1" in the above expression. It's used to
177	// "slide" the solution range around for modular arithmetic. For example,
178	// x < 4 has the solution [0, 3]. x+2 < 4 has the solution [0-2, 3-2], which
179	// in modular arithmetic is [0, 1] U [UINT_MAX-1, UINT_MAX]. It's up to
180	// the subclasses of SimpleConstraintManager to handle the adjustment.
181	llvm::APSInt Adjustment = WraparoundType.getZeroValue();
182	computeAdjustment(Sym, Adjustment);
183
184	// Convert the right-hand side integer as necessary.
185	APSIntType ComparisonType = std::max(a: WraparoundType, b: APSIntType (Int));
186	llvm::APSInt ConvertedInt = ComparisonType.convert(Value: Int);
187
188	// Prefer unsigned comparisons.
189	if (ComparisonType.getBitWidth() == WraparoundType.getBitWidth() &&
190	ComparisonType.isUnsigned() && !WraparoundType.isUnsigned())
191	Adjustment.setIsSigned(false);
192
193	switch (Op) {
194	default:
195	llvm_unreachable("invalid operation not caught by assertion above");
196
197	case BO_EQ:
198	return assumeSymEQ(State, Sym, V: ConvertedInt, Adjustment);
199
200	case BO_NE:
201	return assumeSymNE(State, Sym, V: ConvertedInt, Adjustment);
202
203	case BO_GT:
204	return assumeSymGT(State, Sym, V: ConvertedInt, Adjustment);
205
206	case BO_GE:
207	return assumeSymGE(State, Sym, V: ConvertedInt, Adjustment);
208
209	case BO_LT:
210	return assumeSymLT(State, Sym, V: ConvertedInt, Adjustment);
211
212	case BO_LE:
213	return assumeSymLE(State, Sym, V: ConvertedInt, Adjustment);
214	} // end switch
215	}
216
217	void RangedConstraintManager::computeAdjustment(SymbolRef &Sym,
218	llvm::APSInt &Adjustment) {
219	// Is it a "($sym+constant1)" expression?
220	if (const SymIntExpr *SE = dyn_cast<SymIntExpr>(Val: Sym)) {
221	BinaryOperator::Opcode Op = SE->getOpcode();
222	if (Op == BO_Add \|\| Op == BO_Sub) {
223	Sym = SE->getLHS();
224	Adjustment = APSIntType (Adjustment).convert(Value: SE->getRHS());
225
226	// Don't forget to negate the adjustment if it's being subtracted.
227	// This should happen /after/ promotion, in case the value being
228	// subtracted is, say, CHAR_MIN, and the promoted type is 'int'.
229	if (Op == BO_Sub)
230	Adjustment = -Adjustment;
231	}
232	}
233	}
234
235	SVal simplifyToSVal(ProgramStateRef State, SymbolRef Sym) {
236	SValBuilder &SVB = State ->getStateManager().getSValBuilder();
237	return SVB.simplifySVal(State, Val: SVB.makeSymbolVal(Sym));
238	}
239
240	SymbolRef simplify(ProgramStateRef State, SymbolRef Sym) {
241	SVal SimplifiedVal = simplifyToSVal(State, Sym);
242	if (SymbolRef SimplifiedSym = SimplifiedVal.getAsSymbol())
243	return SimplifiedSym;
244	return Sym;
245	}
246
247	} // end of namespace ento
248	} // end of namespace clang
249

source code of clang/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp