Initial support for checking out of bound memory access. Only support
ConcreteInt index for now.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@59869 91177308-0d34-0410-b5e6-96231b3b80d8
diff --git a/lib/Analysis/BasicConstraintManager.cpp b/lib/Analysis/BasicConstraintManager.cpp
index b09d9de..a359b23 100644
--- a/lib/Analysis/BasicConstraintManager.cpp
+++ b/lib/Analysis/BasicConstraintManager.cpp
@@ -69,6 +69,9 @@
const GRState* AssumeSymLE(const GRState* St, SymbolID sym,
const llvm::APSInt& V, bool& isFeasible);
+ const GRState* AssumeInBound(const GRState* St, SVal Idx, SVal UpperBound,
+ bool Assumption, bool& isFeasible);
+
const GRState* AddEQ(const GRState* St, SymbolID sym, const llvm::APSInt& V);
const GRState* AddNE(const GRState* St, SymbolID sym, const llvm::APSInt& V);
@@ -83,6 +86,9 @@
void print(const GRState* St, std::ostream& Out,
const char* nl, const char *sep);
+
+private:
+ BasicValueFactory& getBasicVals() { return StateMgr.getBasicVals(); }
};
} // end anonymous namespace
@@ -352,6 +358,27 @@
return St;
}
+const GRState*
+BasicConstraintManager::AssumeInBound(const GRState* St, SVal Idx,
+ SVal UpperBound, bool Assumption,
+ bool& isFeasible) {
+ // Only support ConcreteInt for now.
+ if (!(isa<nonloc::ConcreteInt>(Idx) && isa<nonloc::ConcreteInt>(UpperBound))){
+ isFeasible = true;
+ return St;
+ }
+
+ const llvm::APSInt& Zero = getBasicVals().getZeroWithPtrWidth(false);
+ const llvm::APSInt& IdxV = cast<nonloc::ConcreteInt>(Idx).getValue();
+ const llvm::APSInt& UBV = cast<nonloc::ConcreteInt>(UpperBound).getValue();
+
+ bool InBound = (Zero <= IdxV) && (IdxV < UBV);
+
+ isFeasible = Assumption ? InBound : !InBound;
+
+ return St;
+}
+
static int ConstEqTyIndex = 0;
static int ConstNotEqTyIndex = 0;
diff --git a/lib/Analysis/BasicValueFactory.cpp b/lib/Analysis/BasicValueFactory.cpp
index 5b7041b..7ce305e 100644
--- a/lib/Analysis/BasicValueFactory.cpp
+++ b/lib/Analysis/BasicValueFactory.cpp
@@ -76,6 +76,12 @@
return *P;
}
+const llvm::APSInt& BasicValueFactory::getValue(const llvm::APInt& X,
+ bool isUnsigned) {
+ llvm::APSInt V(X, isUnsigned);
+ return getValue(V);
+}
+
const llvm::APSInt& BasicValueFactory::getValue(uint64_t X, unsigned BitWidth,
bool isUnsigned) {
llvm::APSInt V(BitWidth, isUnsigned);
diff --git a/lib/Analysis/GRExprEngine.cpp b/lib/Analysis/GRExprEngine.cpp
index db325fb..6de910f 100644
--- a/lib/Analysis/GRExprEngine.cpp
+++ b/lib/Analysis/GRExprEngine.cpp
@@ -1084,9 +1084,14 @@
bool isFeasibleOutBound = false;
const GRState* StOutBound = AssumeInBound(StNotNull, Idx, NumElements,
false, isFeasibleOutBound);
- StInBound = StOutBound = 0; // FIXME: squeltch warning.
- // Report warnings ...
+ if (isFeasibleOutBound) {
+ // Report warning.
+
+ StOutBound = 0;
+ }
+
+ return isFeasibleInBound ? StInBound : NULL;
}
}
diff --git a/lib/Analysis/RegionStore.cpp b/lib/Analysis/RegionStore.cpp
index 6f632f4..cc7715a 100644
--- a/lib/Analysis/RegionStore.cpp
+++ b/lib/Analysis/RegionStore.cpp
@@ -80,6 +80,8 @@
SVal getLValueElement(const GRState* St, SVal Base, SVal Offset);
+ SVal getSizeInElements(const GRState* St, const MemRegion* R);
+
SVal ArrayToPointer(SVal Array);
std::pair<const GRState*, SVal>
@@ -257,6 +259,40 @@
return UnknownVal();
}
+SVal RegionStoreManager::getSizeInElements(const GRState* St,
+ const MemRegion* R) {
+ if (const VarRegion* VR = dyn_cast<VarRegion>(R)) {
+ // Get the type of the variable.
+ QualType T = VR->getType(getContext());
+
+ // It must be of array type.
+ const ConstantArrayType* CAT = cast<ConstantArrayType>(T.getTypePtr());
+
+ // return the size as signed integer.
+ return NonLoc::MakeVal(getBasicVals(), CAT->getSize(), false);
+ }
+
+ if (const StringRegion* SR = dyn_cast<StringRegion>(R)) {
+ // FIXME: Unsupported yet.
+ SR = 0;
+ return UnknownVal();
+ }
+
+ if (const AnonTypedRegion* ATR = dyn_cast<AnonTypedRegion>(R)) {
+ // FIXME: Unsupported yet.
+ ATR = 0;
+ return UnknownVal();
+ }
+
+ if (const FieldRegion* FR = dyn_cast<FieldRegion>(R)) {
+ // FIXME: Unsupported yet.
+ FR = 0;
+ return UnknownVal();
+ }
+ printf("kidn = %d\n", R->getKind());
+ assert(0 && "Other regions are not supported yet.");
+}
+
// Cast 'pointer to array' to 'pointer to the first element of array'.
SVal RegionStoreManager::ArrayToPointer(SVal Array) {
diff --git a/lib/Analysis/SVals.cpp b/lib/Analysis/SVals.cpp
index 644f60d..764a05f 100644
--- a/lib/Analysis/SVals.cpp
+++ b/lib/Analysis/SVals.cpp
@@ -253,6 +253,11 @@
I->getType()->isUnsignedIntegerType())));
}
+NonLoc NonLoc::MakeVal(BasicValueFactory& BasicVals, const llvm::APInt& I,
+ bool isUnsigned) {
+ return nonloc::ConcreteInt(BasicVals.getValue(I, isUnsigned));
+}
+
NonLoc NonLoc::MakeIntTruthVal(BasicValueFactory& BasicVals, bool b) {
return nonloc::ConcreteInt(BasicVals.getTruthValue(b));
}