Disallow the use of UnknownVal as the index for ElementRegions. UnknownVals can be used as
the index when the value evaluation isn't powerful enough. By creating ElementRegions with
UnknownVals as the index, this gives the false impression that they are the same element, when
they really aren't. This becomes really problematic when deriving symbols from these regions
(e.g., those representing the initial value of the index), since two different indices will
get the same symbol for their binding.
This fixes an issue with the idempotent operations checker that would cause two indices that
are clearly not the same to make it appear as if they always had the same value.
Fixes <rdar://problem/8431728>.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@113920 91177308-0d34-0410-b5e6-96231b3b80d8
diff --git a/include/clang/Checker/PathSensitive/GRState.h b/include/clang/Checker/PathSensitive/GRState.h
index ac38289..878f564 100644
--- a/include/clang/Checker/PathSensitive/GRState.h
+++ b/include/clang/Checker/PathSensitive/GRState.h
@@ -650,7 +650,9 @@
}
inline SVal GRState::getLValue(QualType ElementType, SVal Idx, SVal Base) const{
- return getStateManager().StoreMgr->getLValueElement(ElementType, Idx, Base);
+ if (NonLoc *N = dyn_cast<NonLoc>(&Idx))
+ return getStateManager().StoreMgr->getLValueElement(ElementType, *N, Base);
+ return UnknownVal();
}
inline const llvm::APSInt *GRState::getSymVal(SymbolRef sym) const {
diff --git a/include/clang/Checker/PathSensitive/MemRegion.h b/include/clang/Checker/PathSensitive/MemRegion.h
index 96f906a..82b0c14 100644
--- a/include/clang/Checker/PathSensitive/MemRegion.h
+++ b/include/clang/Checker/PathSensitive/MemRegion.h
@@ -788,9 +788,9 @@
friend class MemRegionManager;
QualType ElementType;
- SVal Index;
+ NonLoc Index;
- ElementRegion(QualType elementType, SVal Idx, const MemRegion* sReg)
+ ElementRegion(QualType elementType, NonLoc Idx, const MemRegion* sReg)
: TypedRegion(sReg, ElementRegionKind),
ElementType(elementType), Index(Idx) {
assert((!isa<nonloc::ConcreteInt>(&Idx) ||
@@ -803,7 +803,7 @@
public:
- SVal getIndex() const { return Index; }
+ NonLoc getIndex() const { return Index; }
QualType getValueType() const {
return ElementType;
@@ -942,7 +942,7 @@
/// getElementRegion - Retrieve the memory region associated with the
/// associated element type, index, and super region.
- const ElementRegion *getElementRegion(QualType elementType, SVal Idx,
+ const ElementRegion *getElementRegion(QualType elementType, NonLoc Idx,
const MemRegion *superRegion,
ASTContext &Ctx);
diff --git a/include/clang/Checker/PathSensitive/Store.h b/include/clang/Checker/PathSensitive/Store.h
index a1a4184..1ead466 100644
--- a/include/clang/Checker/PathSensitive/Store.h
+++ b/include/clang/Checker/PathSensitive/Store.h
@@ -112,7 +112,7 @@
return getLValueFieldOrIvar(D, Base);
}
- virtual SVal getLValueElement(QualType elementType, SVal offset, SVal Base);
+ virtual SVal getLValueElement(QualType elementType, NonLoc offset, SVal Base);
// FIXME: This should soon be eliminated altogether; clients should deal with
// region extents directly.
diff --git a/lib/Checker/MemRegion.cpp b/lib/Checker/MemRegion.cpp
index 3f706e1..ddcb7d2 100644
--- a/lib/Checker/MemRegion.cpp
+++ b/lib/Checker/MemRegion.cpp
@@ -624,7 +624,7 @@
}
const ElementRegion*
-MemRegionManager::getElementRegion(QualType elementType, SVal Idx,
+MemRegionManager::getElementRegion(QualType elementType, NonLoc Idx,
const MemRegion* superRegion,
ASTContext& Ctx){
diff --git a/lib/Checker/RegionStore.cpp b/lib/Checker/RegionStore.cpp
index 4051f4d..91f7cfa 100644
--- a/lib/Checker/RegionStore.cpp
+++ b/lib/Checker/RegionStore.cpp
@@ -786,7 +786,7 @@
ArrayType *AT = cast<ArrayType>(T);
T = AT->getElementType();
- SVal ZeroIdx = ValMgr.makeZeroArrayIndex();
+ NonLoc ZeroIdx = ValMgr.makeZeroArrayIndex();
return loc::MemRegionVal(MRMgr.getElementRegion(T, ZeroIdx, ArrayR, Ctx));
}
@@ -828,14 +828,14 @@
else
EleTy = T->getAs<ObjCObjectPointerType>()->getPointeeType();
- SVal ZeroIdx = ValMgr.makeZeroArrayIndex();
+ const NonLoc &ZeroIdx = ValMgr.makeZeroArrayIndex();
ER = MRMgr.getElementRegion(EleTy, ZeroIdx, SR, Ctx);
break;
}
case MemRegion::AllocaRegionKind: {
const AllocaRegion *AR = cast<AllocaRegion>(MR);
QualType EleTy = Ctx.CharTy; // Create an ElementRegion of bytes.
- SVal ZeroIdx = ValMgr.makeZeroArrayIndex();
+ NonLoc ZeroIdx = ValMgr.makeZeroArrayIndex();
ER = MRMgr.getElementRegion(EleTy, ZeroIdx, AR, Ctx);
break;
}
@@ -889,8 +889,12 @@
SVal NewIdx =
Base->evalBinOp(ValMgr, Op,
cast<nonloc::ConcreteInt>(ValMgr.convertToArrayIndex(*Offset)));
+
+ if (!isa<NonLoc>(NewIdx))
+ return UnknownVal();
+
const MemRegion* NewER =
- MRMgr.getElementRegion(ER->getElementType(), NewIdx,
+ MRMgr.getElementRegion(ER->getElementType(), cast<NonLoc>(NewIdx),
ER->getSuperRegion(), Ctx);
return ValMgr.makeLoc(NewER);
}
@@ -1449,7 +1453,7 @@
if (VI == VE)
break;
- SVal Idx = ValMgr.makeArrayIndex(i);
+ const NonLoc &Idx = ValMgr.makeArrayIndex(i);
const ElementRegion *ER = MRMgr.getElementRegion(ElementTy, Idx, R, Ctx);
if (ElementTy->isStructureOrClassType())
diff --git a/lib/Checker/SVals.cpp b/lib/Checker/SVals.cpp
index 97ba74e..937b948 100644
--- a/lib/Checker/SVals.cpp
+++ b/lib/Checker/SVals.cpp
@@ -270,7 +270,7 @@
void SVal::dumpToStream(llvm::raw_ostream& os) const {
switch (getBaseKind()) {
case UnknownKind:
- os << "Invalid";
+ os << "Unknown";
break;
case NonLocKind:
cast<NonLoc>(this)->dumpToStream(os);
diff --git a/lib/Checker/Store.cpp b/lib/Checker/Store.cpp
index 1cb5cd7..aaa518e 100644
--- a/lib/Checker/Store.cpp
+++ b/lib/Checker/Store.cpp
@@ -28,7 +28,7 @@
const MemRegion *StoreManager::MakeElementRegion(const MemRegion *Base,
QualType EleTy, uint64_t index) {
- SVal idx = ValMgr.makeArrayIndex(index);
+ NonLoc idx = ValMgr.makeArrayIndex(index);
return MRMgr.getElementRegion(EleTy, idx, Base, ValMgr.getContext());
}
@@ -45,7 +45,7 @@
const ElementRegion *StoreManager::GetElementZeroRegion(const MemRegion *R,
QualType T) {
- SVal idx = ValMgr.makeZeroArrayIndex();
+ NonLoc idx = ValMgr.makeZeroArrayIndex();
assert(!T.isNull());
return MRMgr.getElementRegion(T, idx, R, Ctx);
}
@@ -267,7 +267,7 @@
return loc::MemRegionVal(MRMgr.getFieldRegion(cast<FieldDecl>(D), BaseR));
}
-SVal StoreManager::getLValueElement(QualType elementType, SVal Offset,
+SVal StoreManager::getLValueElement(QualType elementType, NonLoc Offset,
SVal Base) {
// If the base is an unknown or undefined value, just return it back.
@@ -283,7 +283,7 @@
const ElementRegion *ElemR = dyn_cast<ElementRegion>(BaseRegion);
// Convert the offset to the appropriate size and signedness.
- Offset = ValMgr.convertToArrayIndex(Offset);
+ Offset = cast<NonLoc>(ValMgr.convertToArrayIndex(Offset));
if (!ElemR) {
//
@@ -322,8 +322,8 @@
assert(BaseIdxI.isSigned());
// Compute the new index.
- SVal NewIdx = nonloc::ConcreteInt(
- ValMgr.getBasicValueFactory().getValue(BaseIdxI + OffI));
+ nonloc::ConcreteInt NewIdx(ValMgr.getBasicValueFactory().getValue(BaseIdxI +
+ OffI));
// Construct the new ElementRegion.
const MemRegion *ArrayR = ElemR->getSuperRegion();
diff --git a/test/Analysis/idempotent-operations.c b/test/Analysis/idempotent-operations.c
index d88bf49..c673f00 100644
--- a/test/Analysis/idempotent-operations.c
+++ b/test/Analysis/idempotent-operations.c
@@ -194,3 +194,33 @@
a = (short)a; // no-warning
test(a);
}
+
+// This test case previously flagged a warning at 'b == c' because the
+// analyzer previously allowed 'UnknownVal' as the index for ElementRegions.
+typedef struct RDar8431728_F {
+ int RDar8431728_A;
+ unsigned char *RDar8431728_B;
+ int RDar8431728_E[6];
+} RDar8431728_D;
+static inline int RDar8431728_C(RDar8431728_D * s, int n,
+ unsigned char **RDar8431728_B_ptr) {
+ int xy, wrap, pred, a, b, c;
+
+ xy = s->RDar8431728_E[n];
+ wrap = s->RDar8431728_A;
+
+ a = s->RDar8431728_B[xy - 1];
+ b = s->RDar8431728_B[xy - 1 - wrap];
+ c = s->RDar8431728_B[xy - wrap];
+
+ if (b == c) { // no-warning
+ pred = a;
+ } else {
+ pred = c;
+ }
+
+ *RDar8431728_B_ptr = &s->RDar8431728_B[xy];
+
+ return pred;
+}
+