| blob | 45e48d435aca6a2c2d374dd95d074d687f21f2a4 |
1 // SimpleSValBuilder.cpp - A basic SValBuilder -----------------------*- C++ -*-
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines SimpleSValBuilder, a basic implementation of SValBuilder.
10 //
11 //===----------------------------------------------------------------------===//
18 #include <optional>
26 // Query the constraint manager whether the SVal has only one possible
27 // (integer) value. If that is the case, the value is returned. Otherwise,
28 // returns NULL.
29 // This is an implementation detail. Checkers should use `getKnownValue()`
30 // instead.
33 // Helper function that returns the value stored in a nonloc::ConcreteInt or
34 // loc::ConcreteInt.
37 // With one `simplifySValOnce` call, a compound symbols might collapse to
38 // simpler symbol tree that is still possible to further simplify. Thus, we
39 // do the simplification on a new symbol tree until we reach the simplest
40 // form, i.e. the fixpoint.
41 // Consider the following symbol `(b * b) * b * b` which has this tree:
42 // *
43 // / \
44 // * b
45 // / \
46 // / b
47 // (b * b)
48 // Now, if the `b * b == 1` new constraint is added then during the first
49 // iteration we have the following transformations:
50 // * *
51 // / \ / \
52 // * b --> b b
53 // / \
54 // / b
55 // 1
56 // We need another iteration to reach the final result `1`.
59 // Recursively descends into symbolic expressions and replaces symbols
60 // with their known values (in the sense of the getConstValue() method).
61 // We traverse the symbol tree and query the constraint values for the
62 // sub-trees and if a value is a constant we do the constant folding.
78 /// Evaluates a given SVal by recursively evaluating and
79 /// simplifying the children SVals. If the SVal has only one possible
80 /// (integer) value, that value is returned. Otherwise, returns NULL.
83 /// Evaluates a given SVal by recursively evaluating and simplifying the
84 /// children SVals, then returns its minimal possible (integer) value. If the
85 /// constraint manager cannot provide a meaningful answer, this returns NULL.
88 /// Evaluates a given SVal by recursively evaluating and simplifying the
89 /// children SVals, then returns its maximal possible (integer) value. If the
90 /// constraint manager cannot provide a meaningful answer, this returns NULL.
97 };
104 }
106 // Checks if the negation the value and flipping sign preserve
107 // the semantics on the operation in the resultType
109 APSIntType ResultType) {
112 // The value is the lowest negative value that is representable
113 // in signed integer with bitWith of result type. The
114 // negation is representable if resultType is unsigned.
116 }
118 // If resultType bitWith is higher that number of bits required
119 // to represent RHS, the sign flip produce same value.
121 }
123 //===----------------------------------------------------------------------===//
124 // Transfer function for binary operators.
125 //===----------------------------------------------------------------------===//
130 QualType resultTy) {
133 // Check for a few special cases with known reductions first.
136 // We can't reduce this case; just treat it normally.
139 // a*0 and a*1
146 // a/0 and a/1
148 // This is also handled elsewhere.
154 // a%0 and a%1
156 // This is also handled elsewhere.
166 // a+0, a-0, a<<0, a>>0, a^0
171 // a&0 and a&(~0)
178 // a|0 and a|(~0)
184 }
186 }
188 // Idempotent ops (like a*1) can still change the type of an expression.
189 // Wrap the LHS up in a NonLoc again and let evalCast do the
190 // dirty work.
194 // If we reach this point, the expression cannot be simplified.
195 // Make a SymbolVal for the entire expression, after converting the RHS.
198 // We're looking for a type big enough to compare the symbolic value
199 // with the given constant.
200 // FIXME: This is an approximation of Sema::UsualArithmeticConversions.
207 // If the value is too small, extend it.
210 // If the value is signed but the symbol is unsigned, do the comparison
211 // in unsigned space. [C99 6.3.1.8]
212 // (For the opposite case, the value is already unsigned.)
215 }
217 // Change a+(-N) into a-N, and a-(-N) into a+N
218 // Adjust addition/subtraction of negative value, to
219 // subtraction/addition of the negated value.
226 }
231 }
233 // See if Sym is known to be a relation Rel with Bound.
237 SVal Result =
242 }
244 }
246 // See if Sym is known to be within [min/4, max/4], where min and max
247 // are the bounds of the symbol's integral type. With such symbols,
248 // some manipulations can be performed without the risk of overflow.
249 // assume() doesn't cause infinite recursion because we should be dealing
250 // with simpler symbols on every recursive call.
252 ProgramStateRef State) {
264 }
266 // Same for the concrete integers: see if I is within [min/4, max/4].
274 }
285 // Fail to decompose: "reduce" the problem to the "$x + 0" case.
287 }
289 // Simplify "(LSym + LInt) Op (RSym + RInt)" assuming all values are of the
290 // same signed integral type and no overflows occur (which should be checked
291 // by the caller).
308 QualType ResultTy;
313 else
325 // Prefer comparing to a non-negative number.
326 // FIXME: Maybe it'd be better to have consistency in
327 // "$x - $y" vs. "$y - $x" because those are solver's keys.
336 }
341 // Bring back the cosmetic difference.
346 // Shortcut: Simplify "$x + 0" to "$x".
348 }
349 }
353 }
355 // Rearrange if symbol type matches the result type and if the operator is a
356 // comparison operator, both symbol and constant must be within constant
357 // overflow bounds.
364 }
372 // We expect everything to be of the same type - this type.
373 QualType SingleTy;
375 // FIXME: After putting complexity threshold to the symbols we can always
376 // rearrange additive operations but rearrange comparisons only if
377 // option is set.
389 // Initialize SingleTy later with a symbol's type.
395 // Don't rearrange other operations.
397 }
401 // Rearrange signed symbolic expressions only
417 // We know that no overflows can occur anymore.
419 }
424 QualType resultTy) {
428 // Constraints may have changed since the creation of a bound SVal. Check if
429 // the values can be simplified based on those new constraints.
437 // Handle trivial case where left-side and right-side are the same.
455 QualType{});
459 }
478 }
479 }
484 // FIXME: at the moment the implementation
485 // of modeling "pointers as integers" is not complete.
490 resultTy);
492 // FIXME: at the moment the implementation
493 // of modeling "pointers as integers" is not complete.
496 // Transform the integer into a location and compare.
497 // FIXME: This only makes sense for comparisons. If we want to, say,
498 // add 1 to a LocAsInteger, we'd better unpack the Loc and add to it,
499 // then pack it back into a LocAsInteger.
501 // If the region has a symbolic base, pay attention to the type; it
502 // might be coming from a non-default address space. For non-symbolic
503 // regions it doesn't matter that much because such comparisons would
504 // most likely evaluate to concrete false anyway. FIXME: We might
505 // still need to handle the non-comparison case.
508 else
511 }
519 // This case also handles pointer arithmetic.
521 }
522 }
523 }
527 // If we're dealing with two known constants, just perform the operation.
531 // We're looking for a type big enough to compare the two values.
532 // FIXME: This is not correct. char + short will result in a promotion
533 // to int. Unfortunately we have lost types by this point.
542 }
548 // FIXME: At this point the constant folding claims that the result
549 // of a bitwise shift is undefined. However, constant folding
550 // relies on the inaccurate type information that is stored in the
551 // bit size of APSInt objects, and if we reached this point, then
552 // the checker core.BitwiseShift already determined that the shift
553 // is valid (in a PreStmt callback, by querying the real type from
554 // the AST node).
555 // To avoid embarrassing false positives, let's just say that we
556 // don't know anything about the result of the shift.
558 }
560 }
563 }
565 // Swap the left and right sides and flip the operator if doing so
566 // allows us to better reason about the expression (this is a form
567 // of expression canonicalization).
568 // While we're at it, catch some special cases for non-commutative ops.
586 // (~0)>>a
591 // 0<<a and 0>>a
596 // 0 / x == 0
598 // 0 % x == 0
604 }
605 }
607 // We only handle LHS as simple symbols or SymIntExprs.
610 // LHS is a symbolic expression.
613 // Is this a logical not? (!x is represented as x == 0.)
615 // We know how to negate certain expressions. Simplify them here.
620 // We don't know how to negate this operation.
621 // Just handle it as if it were a normal comparison to 0.
653 // Negate the comparison and make a value.
657 }
658 }
660 // For now, only handle expressions whose RHS is a constant.
662 // If both the LHS and the current expression are additive,
663 // fold their constants and try again.
667 // Convert the two constants to a common type, then combine them.
669 // resultTy may not be the best type to convert to, but it's
670 // probably the best choice in expressions with mixed type
671 // (such as x+1U+2LL). The rules for implicit conversions should
672 // choose a reasonable type to preserve the expression, and will
673 // at least match how the value is going to be used.
678 // If the op and lop agrees, then we just need to
679 // sum the constants. Otherwise, we change to operation
680 // type if substraction would produce negative value
681 // (and cause overflow for unsigned integers),
682 // as consequence x+1U-10 produces x-9U, instead
683 // of x+4294967287U, that would be produced without this
684 // additional check.
693 }
699 }
700 }
702 // Otherwise, make a SymIntExpr out of the expression.
704 }
705 }
707 // Is the RHS a constant?
714 // Give up -- this is not a symbolic expression we can handle.
716 }
717 }
718 }
719 }
724 QualType resultTy,
726 // Only comparisons are meaningful here!
730 // Next, see if the two FRs have the same super-region.
731 // FIXME: This doesn't handle casts yet, and simply stripping the casts
732 // doesn't help.
740 // Make sure the two FRs are from the same kind of record. Just in case!
741 // FIXME: This is probably where inheritance would be a problem.
745 // We know for sure that the two fields are not the same, since that
746 // would have given us the same SVal.
752 // Iterate through the fields and see which one comes first.
753 // [C99 6.7.2.1.13] "Within a structure object, the non-bit-field
754 // members and the units in which bit-fields reside have addresses that
755 // increase in the order in which they are declared."
762 }
765 }
767 // This is used in debug builds only for now because some downstream users
768 // may hit this assert in their subsequent merges.
769 // There are still places in the analyzer where equal bitwidth Locs
770 // are compared, and need to be found and corrected. Recent previous fixes have
771 // addressed the known problems of making NULLs with specific bitwidths
772 // for Loc comparisons along with deprecation of APIs for the same purpose.
773 //
775 Loc LhsLoc) {
776 // Implements a "best effort" check for RhsLoc and LhsLoc bit widths
785 }
786 }
788 // FIXME: all this logic will change if/when we have MemRegion::getLocation().
792 QualType resultTy) {
794 // Assert that bitwidth of lhs and rhs are the same.
795 // This can happen if two different address spaces are used,
796 // and the bitwidths of the address spaces are different.
797 // See LIT case clang/test/Analysis/cstring-checker-addressspace.c
798 // FIXME: See comment above in the function assertEqualBitWidths
801 // Only comparisons and subtractions are valid operations on two pointers.
802 // See [C99 6.5.5 through 6.5.14] or [C++0x 5.6 through 5.15].
803 // However, if a pointer is casted to an integer, evalBinOpNN may end up
804 // calling this function with another operation (PR7527). We don't attempt to
805 // model this for now, but it could be useful, particularly when the
806 // "location" is actually an integer value that's been passed through a void*.
810 // Special cases for when both sides are identical.
825 }
826 }
833 // The only thing we know about labels is that they're non-null.
848 }
849 }
850 // There may be two labels for the same location, and a function region may
851 // have the same address as a label at the start of the function (depending
852 // on the ABI).
853 // FIXME: we can probably do a comparison against other MemRegions, though.
854 // FIXME: is there a way to tell if two labels refer to the same location?
860 // If one of the operands is a symbol and the other is a constant,
861 // build an expression for use by the constraint manager.
863 // We can only build expressions with symbols on the left,
864 // so we need a reversible operator.
870 }
872 // If both operands are constants, just perform the operation.
880 }
882 // Special case comparisons against NULL.
883 // This must come after the test if the RHS is a symbol, which is used to
884 // build constraints. The address of any non-symbolic region is guaranteed
885 // to be non-NULL, as is any label.
899 }
900 }
902 // Comparing an arbitrary integer to a region or label address is
903 // completely unknowable.
905 }
908 // If one of the operands is a symbol and the other is a constant,
909 // build an expression for use by the constraint manager.
914 }
915 // Special case comparisons to NULL.
916 // This must come after the test if the LHS is a symbol, which is used to
917 // build constraints. The address of any non-symbolic region is guaranteed
918 // to be non-NULL.
928 }
929 }
931 // Comparing a region to an arbitrary integer is completely unknowable.
933 }
935 // Get both values as regions, if possible.
941 // The RHS is probably a label, which in theory could address a region.
942 // FIXME: we can probably make a more useful statement about non-code
943 // regions, though.
952 // If the two regions are from different known memory spaces they cannot be
953 // equal. Also, assume that no symbolic region (whose memory space is
954 // unknown) is on the stack.
965 }
966 }
968 // If both values wrap regions, see if they're from different base regions.
969 // Note, heap base symbolic regions are assumed to not alias with
970 // each other; for example, we assume that malloc returns different address
971 // on each invocation.
972 // FIXME: ObjC object pointers always reside on the heap, but currently
973 // we treat their memory space as unknown, because symbolic pointers
974 // to ObjC objects may alias. There should be a way to construct
975 // possibly-aliasing heap-based regions. For instance, MacOSXApiChecker
976 // guesses memory space for ObjC object pointers manually instead of
977 // relying on us.
988 }
989 }
991 // Handle special cases for when both regions are element regions.
995 // Next, see if the two ERs have the same super-region and matching types.
996 // FIXME: This should do something useful even if the types don't match,
997 // though if both indexes are constant the RegionRawOffset path will
998 // give the correct answer.
1001 // Get the left index and cast it to the correct type.
1002 // If the index is unknown or undefined, bail out here.
1012 // Do the same for the right index.
1022 // Actually perform the operation.
1023 // evalBinOpNN expects the two indexes to already be the right type.
1025 }
1026 }
1028 // Special handling of the FieldRegions, even with symbolic offsets.
1036 }
1038 // Compare the regions using the raw offsets.
1063 }
1064 }
1066 // At this point we're not going to get a good answer, but we can try
1067 // conjuring an expression instead.
1073 // If we get here, we have no way of comparing the regions.
1075 }
1076 }
1077 }
1095 };
1099 }
1102 }
1103 }
1106 }
1111 // Special case: rhs is a zero constant.
1115 // Perserve the null pointer so that it can be found by the DerefChecker.
1119 // We are dealing with pointer arithmetic.
1121 // Handle pointer arithmetic on constant values.
1130 // Convert the bitwidth of rightI. This should deal with overflow
1131 // since we are dealing with concrete values.
1134 // Offset the increment by the pointer size.
1140 // Compute the adjusted pointer.
1150 }
1152 }
1153 }
1155 // Handle cases where 'lhs' is a region.
1160 // We need to know the type of the pointer in order to add an integer to it.
1161 // Depending on the type, different amount of bytes is added.
1162 QualType elementType;
1170 }
1175 // TODO: Is this actually reliable? Maybe improving our MemRegion
1176 // hierarchy to provide typed regions for all non-void pointers would be
1177 // better. For instance, we cannot extend this towards LocAsInteger
1178 // operations, where result type of the expression is integer.
1181 }
1183 // Represent arithmetic on void pointers as arithmetic on char pointers.
1184 // It is fine when a TypedValueRegion of char value type represents
1185 // a void pointer. Note that arithmetic on void pointers is a GCC extension.
1192 }
1193 }
1195 }
1198 SVal V) {
1206 }
1216 }
1219 SVal V) {
1221 }
1224 SVal V) {
1234 }
1237 SVal V) {
1247 }
1254 }
1256 }
1260 }
1263 // For now, this function tries to constant-fold symbols inside a
1264 // nonloc::SymbolVal, and does nothing else. More simplifications should
1265 // be possible, such as constant-folding an index in an ElementRegion.
1268 ProgramStateRef State;
1271 // Cache results for the lifetime of the Simplifier. Results change every
1272 // time new constraints are added to the program state, which is the whole
1273 // point of simplifying, and for that very reason it's pointless to maintain
1274 // the same cache for the duration of the whole analysis.
1279 }
1284 }
1288 }
1290 // Return the known const value for the Sym if available, or return Undef
1291 // otherwise.
1299 }
1306 }
1313 // No cache here.
1319 }
1330 SVal RHS;
1331 // By looking at the APSInt in the right-hand side of S, we cannot
1332 // figure out if it should be treated as a Loc or as a NonLoc.
1333 // So make our guess by recalling that we cannot multiply pointers
1334 // or compare a pointer to an integer.
1337 // The usual conversion of $sym to &SymRegion{$sym}, as they have
1338 // the same meaning for Loc-type symbols, but the latter form
1339 // is preferred in SVal computations for being Loc itself.
1343 }
1347 }
1351 }
1365 }
1372 // For now don't try to simplify mixed Loc/NonLoc expressions
1373 // because they often appear from LocAsInteger operations
1374 // and we don't know how to combine a LocAsInteger
1375 // with a concrete value.
1388 }
1400 }
1412 }
1419 // Simplification is much more costly than computing complexity.
1420 // For high complexity, it may be not worth it.
1422 }
1425 };
1429 }