docs/AnalyzerRegions.txt - platform/external/clang - Gitiles

 Symbolic Region

 A symbolic region is a map of the concept of symbolic values into the domain of
 regions. It is the way that we represent symbolic pointers. Whenever a symbolic
 pointer value is needed, a symbolic region is created to represent it.

 A symbolic region has no type. It wraps a SymbolData. But sometimes we have type
 information associated with a symbolic region. For this case, a TypedViewRegion
 is created to layer the type information on top of the symbolic region. The
 reason we do not carry type information with the symbolic region is that
 the symbolic regions can have no type. To be consistent, we don't let them to
 carry type information.

 Like a symbolic pointer, a symbolic region may be NULL, has unknown extent, and
 represents a generic chunk of memory.

 We plan not to use loc::SymbolVal in RegionStore and remove it gradually.

 Pointer Casts

 Pointer casts allow people to impose different 'views' onto a chunk of memory.

 Usually we have two kinds of casts. One kind of casts cast down with in the type
 hierarchy. It imposes more specific views onto more generic memory regions. The
 other kind of casts cast up with in the type hierarchy. It strips away more
 specific views on top of the more generic memory regions.

 We simulate the down casts by layering another TypedViewRegion on top of the
 original region. We simulate the up casts by striping away the top
 TypedViewRegion. Down casts is usually simple. For up casts, if the there is no
 TypedViewRegion to be stripped, we return the original region. If the underlying
 region is of the different type than the cast-to type, we flag an error state.

 For toll-free bridging casts, we return the original region.

 Region Bindings

 The following region kinds are boundable: VarRegion, CompoundLiteralRegion,
 StringRegion, ElementRegion, FieldRegion, and ObjCIvarRegion.

 When binding regions, we perform canonicalization on element regions and field
 regions. This is because we can have different views on the same region, some of
 which are essentially the same view with different sugar type names.

 To canonicalize a region, we get the canonical types for all TypedViewRegions
 along the way up to the root region, and make new TypedViewRegions with those
 canonical types.

 All bindings and retrievings are done on the canonicalized regions.

 Canonicalization is transparent outside the region store manager, and more
 specifically, unaware outside the Bind() and Retrieve() method. We don't need to
 consider region canonicalization when doing pointer cast.
	Symbolic Region

	A symbolic region is a map of the concept of symbolic values into the domain of
	regions. It is the way that we represent symbolic pointers. Whenever a symbolic
	pointer value is needed, a symbolic region is created to represent it.

	A symbolic region has no type. It wraps a SymbolData. But sometimes we have type
	information associated with a symbolic region. For this case, a TypedViewRegion
	is created to layer the type information on top of the symbolic region. The
	reason we do not carry type information with the symbolic region is that
	the symbolic regions can have no type. To be consistent, we don't let them to
	carry type information.

	Like a symbolic pointer, a symbolic region may be NULL, has unknown extent, and
	represents a generic chunk of memory.

	We plan not to use loc::SymbolVal in RegionStore and remove it gradually.

	Pointer Casts

	Pointer casts allow people to impose different 'views' onto a chunk of memory.

	Usually we have two kinds of casts. One kind of casts cast down with in the type
	hierarchy. It imposes more specific views onto more generic memory regions. The
	other kind of casts cast up with in the type hierarchy. It strips away more
	specific views on top of the more generic memory regions.

	We simulate the down casts by layering another TypedViewRegion on top of the
	original region. We simulate the up casts by striping away the top
	TypedViewRegion. Down casts is usually simple. For up casts, if the there is no
	TypedViewRegion to be stripped, we return the original region. If the underlying
	region is of the different type than the cast-to type, we flag an error state.

	For toll-free bridging casts, we return the original region.

	Region Bindings

	The following region kinds are boundable: VarRegion, CompoundLiteralRegion,
	StringRegion, ElementRegion, FieldRegion, and ObjCIvarRegion.

	When binding regions, we perform canonicalization on element regions and field
	regions. This is because we can have different views on the same region, some of
	which are essentially the same view with different sugar type names.

	To canonicalize a region, we get the canonical types for all TypedViewRegions
	along the way up to the root region, and make new TypedViewRegions with those
	canonical types.

	All bindings and retrievings are done on the canonicalized regions.

	Canonicalization is transparent outside the region store manager, and more
	specifically, unaware outside the Bind() and Retrieve() method. We don't need to
	consider region canonicalization when doing pointer cast.