Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / clang / f8fd82ba49827db0f6a6ba00c55a7b56b12a19fa / . / lib / Checker / RegionStore.cpp
blob: d97fdbb7fd001e4d6e9bfc04c4e08785c6ae7b3d [file] [log] [blame]
Shih-wei Liaof8fd82b2010-02-10 11:10:31 -0800[diff] [blame^]1//== RegionStore.cpp - Field-sensitive store model --------------*- C++ -*--==//
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This file defines a basic region store model. In this model, we do have field
11// sensitivity. But we assume nothing about the heap shape. So recursive data
12// structures are largely ignored. Basically we do 1-limiting analysis.
13// Parameter pointers are assumed with no aliasing. Pointee objects of
14// parameters are created lazily.
15//
16//===----------------------------------------------------------------------===//
17#include "clang/Checker/PathSensitive/MemRegion.h"
18#include "clang/Analysis/AnalysisContext.h"
19#include "clang/Checker/PathSensitive/GRState.h"
20#include "clang/Checker/PathSensitive/GRStateTrait.h"
21#include "clang/Analysis/Analyses/LiveVariables.h"
22#include "clang/Analysis/Support/Optional.h"
23#include "clang/Basic/TargetInfo.h"
24#include "clang/AST/CharUnits.h"
25
26#include "llvm/ADT/ImmutableMap.h"
27#include "llvm/ADT/ImmutableList.h"
28#include "llvm/Support/raw_ostream.h"
29
30using namespace clang;
31
32#define USE_EXPLICIT_COMPOUND 0
33
34//===----------------------------------------------------------------------===//
35// Representation of binding keys.
36//===----------------------------------------------------------------------===//
37
38namespace {
39class BindingKey {
40public:
41 enum Kind { Direct = 0x0, Default = 0x1 };
42private:
43 llvm ::PointerIntPair<const MemRegion*, 1> P;
44 uint64_t Offset;
45
46 explicit BindingKey(const MemRegion *r, uint64_t offset, Kind k)
47 : P(r, (unsigned) k), Offset(offset) { assert(r); }
48public:
49
50 bool isDefault() const { return P.getInt() == Default; }
51 bool isDirect() const { return P.getInt() == Direct; }
52
53 const MemRegion *getRegion() const { return P.getPointer(); }
54 uint64_t getOffset() const { return Offset; }
55
56 void Profile(llvm::FoldingSetNodeID& ID) const {
57 ID.AddPointer(P.getOpaqueValue());
58 ID.AddInteger(Offset);
59 }
60
61 static BindingKey Make(const MemRegion *R, Kind k);
62
63 bool operator<(const BindingKey &X) const {
64 if (P.getOpaqueValue() < X.P.getOpaqueValue())
65 return true;
66 if (P.getOpaqueValue() > X.P.getOpaqueValue())
67 return false;
68 return Offset < X.Offset;
69 }
70
71 bool operator==(const BindingKey &X) const {
72 return P.getOpaqueValue() == X.P.getOpaqueValue() &&
73 Offset == X.Offset;
74 }
75};
76} // end anonymous namespace
77
78namespace llvm {
79 static inline
80 llvm::raw_ostream& operator<<(llvm::raw_ostream& os, BindingKey K) {
81 os << '(' << K.getRegion() << ',' << K.getOffset()
82 << ',' << (K.isDirect() ? "direct" : "default")
83 << ')';
84 return os;
85 }
86} // end llvm namespace
87
88//===----------------------------------------------------------------------===//
89// Actual Store type.
90//===----------------------------------------------------------------------===//
91
92typedef llvm::ImmutableMap<BindingKey, SVal> RegionBindings;
93
94//===----------------------------------------------------------------------===//
95// Fine-grained control of RegionStoreManager.
96//===----------------------------------------------------------------------===//
97
98namespace {
99struct minimal_features_tag {};
100struct maximal_features_tag {};
101
102class RegionStoreFeatures {
103 bool SupportsFields;
104 bool SupportsRemaining;
105
106public:
107 RegionStoreFeatures(minimal_features_tag) :
108 SupportsFields(false), SupportsRemaining(false) {}
109
110 RegionStoreFeatures(maximal_features_tag) :
111 SupportsFields(true), SupportsRemaining(false) {}
112
113 void enableFields(bool t) { SupportsFields = t; }
114
115 bool supportsFields() const { return SupportsFields; }
116 bool supportsRemaining() const { return SupportsRemaining; }
117};
118}
119
120//===----------------------------------------------------------------------===//
121// Region "Extents"
122//===----------------------------------------------------------------------===//
123//
124// MemRegions represent chunks of memory with a size (their "extent"). This
125// GDM entry tracks the extents for regions. Extents are in bytes.
126//
127namespace { class RegionExtents {}; }
128static int RegionExtentsIndex = 0;
129namespace clang {
130 template<> struct GRStateTrait<RegionExtents>
131 : public GRStatePartialTrait<llvm::ImmutableMap<const MemRegion*, SVal> > {
132 static void* GDMIndex() { return &RegionExtentsIndex; }
133 };
134}
135
136//===----------------------------------------------------------------------===//
137// Utility functions.
138//===----------------------------------------------------------------------===//
139
140static bool IsAnyPointerOrIntptr(QualType ty, ASTContext &Ctx) {
141 if (ty->isAnyPointerType())
142 return true;
143
144 return ty->isIntegerType() && ty->isScalarType() &&
145 Ctx.getTypeSize(ty) == Ctx.getTypeSize(Ctx.VoidPtrTy);
146}
147
148//===----------------------------------------------------------------------===//
149// Main RegionStore logic.
150//===----------------------------------------------------------------------===//
151
152namespace {
153
154class RegionStoreSubRegionMap : public SubRegionMap {
155public:
156 typedef llvm::ImmutableSet<const MemRegion*> Set;
157 typedef llvm::DenseMap<const MemRegion*, Set> Map;
158private:
159 Set::Factory F;
160 Map M;
161public:
162 bool add(const MemRegion* Parent, const MemRegion* SubRegion) {
163 Map::iterator I = M.find(Parent);
164
165 if (I == M.end()) {
166 M.insert(std::make_pair(Parent, F.Add(F.GetEmptySet(), SubRegion)));
167 return true;
168 }
169
170 I->second = F.Add(I->second, SubRegion);
171 return false;
172 }
173
174 void process(llvm::SmallVectorImpl<const SubRegion*> &WL, const SubRegion *R);
175
176 ~RegionStoreSubRegionMap() {}
177
178 const Set *getSubRegions(const MemRegion *Parent) const {
179 Map::const_iterator I = M.find(Parent);
180 return I == M.end() ? NULL : &I->second;
181 }
182
183 bool iterSubRegions(const MemRegion* Parent, Visitor& V) const {
184 Map::const_iterator I = M.find(Parent);
185
186 if (I == M.end())
187 return true;
188
189 Set S = I->second;
190 for (Set::iterator SI=S.begin(),SE=S.end(); SI != SE; ++SI) {
191 if (!V.Visit(Parent, *SI))
192 return false;
193 }
194
195 return true;
196 }
197};
198
199
200class RegionStoreManager : public StoreManager {
201 const RegionStoreFeatures Features;
202 RegionBindings::Factory RBFactory;
203
204 typedef llvm::DenseMap<Store, RegionStoreSubRegionMap*> SMCache;
205 SMCache SC;
206
207public:
208 RegionStoreManager(GRStateManager& mgr, const RegionStoreFeatures &f)
209 : StoreManager(mgr),
210 Features(f),
211 RBFactory(mgr.getAllocator()) {}
212
213 virtual ~RegionStoreManager() {
214 for (SMCache::iterator I = SC.begin(), E = SC.end(); I != E; ++I)
215 delete (*I).second;
216 }
217
218 SubRegionMap *getSubRegionMap(Store store) {
219 return getRegionStoreSubRegionMap(store);
220 }
221
222 RegionStoreSubRegionMap *getRegionStoreSubRegionMap(Store store);
223
224 Optional<SVal> getBinding(RegionBindings B, const MemRegion *R);
225 Optional<SVal> getDirectBinding(RegionBindings B, const MemRegion *R);
226 /// getDefaultBinding - Returns an SVal* representing an optional default
227 /// binding associated with a region and its subregions.
228 Optional<SVal> getDefaultBinding(RegionBindings B, const MemRegion *R);
229
230 /// setImplicitDefaultValue - Set the default binding for the provided
231 /// MemRegion to the value implicitly defined for compound literals when
232 /// the value is not specified.
233 Store setImplicitDefaultValue(Store store, const MemRegion *R, QualType T);
234
235 /// ArrayToPointer - Emulates the "decay" of an array to a pointer
236 /// type. 'Array' represents the lvalue of the array being decayed
237 /// to a pointer, and the returned SVal represents the decayed
238 /// version of that lvalue (i.e., a pointer to the first element of
239 /// the array). This is called by GRExprEngine when evaluating
240 /// casts from arrays to pointers.
241 SVal ArrayToPointer(Loc Array);
242
243 SVal EvalBinOp(BinaryOperator::Opcode Op,Loc L, NonLoc R, QualType resultTy);
244
245 Store getInitialStore(const LocationContext *InitLoc) {
246 return RBFactory.GetEmptyMap().getRoot();
247 }
248
249 //===-------------------------------------------------------------------===//
250 // Binding values to regions.
251 //===-------------------------------------------------------------------===//
252
253 Store InvalidateRegion(Store store, const MemRegion *R, const Expr *E,
254 unsigned Count, InvalidatedSymbols *IS) {
255 return RegionStoreManager::InvalidateRegions(store, &R, &R+1, E, Count, IS);
256 }
257
258 Store InvalidateRegions(Store store,
259 const MemRegion * const *Begin,
260 const MemRegion * const *End,
261 const Expr *E, unsigned Count,
262 InvalidatedSymbols *IS);
263
264public: // Made public for helper classes.
265
266 void RemoveSubRegionBindings(RegionBindings &B, const MemRegion *R,
267 RegionStoreSubRegionMap &M);
268
269 RegionBindings Add(RegionBindings B, BindingKey K, SVal V);
270
271 RegionBindings Add(RegionBindings B, const MemRegion *R,
272 BindingKey::Kind k, SVal V);
273
274 const SVal *Lookup(RegionBindings B, BindingKey K);
275 const SVal *Lookup(RegionBindings B, const MemRegion *R, BindingKey::Kind k);
276
277 RegionBindings Remove(RegionBindings B, BindingKey K);
278 RegionBindings Remove(RegionBindings B, const MemRegion *R,
279 BindingKey::Kind k);
280
281 RegionBindings Remove(RegionBindings B, const MemRegion *R) {
282 return Remove(Remove(B, R, BindingKey::Direct), R, BindingKey::Default);
283 }
284
285 Store Remove(Store store, BindingKey K);
286
287public: // Part of public interface to class.
288
289 Store Bind(Store store, Loc LV, SVal V);
290
291 Store BindCompoundLiteral(Store store, const CompoundLiteralExpr* CL,
292 const LocationContext *LC, SVal V);
293
294 Store BindDecl(Store store, const VarRegion *VR, SVal InitVal);
295
296 Store BindDeclWithNoInit(Store store, const VarRegion *) {
297 return store;
298 }
299
300 /// BindStruct - Bind a compound value to a structure.
301 Store BindStruct(Store store, const TypedRegion* R, SVal V);
302
303 Store BindArray(Store store, const TypedRegion* R, SVal V);
304
305 /// KillStruct - Set the entire struct to unknown.
306 Store KillStruct(Store store, const TypedRegion* R);
307
308 Store Remove(Store store, Loc LV);
309
310
311 //===------------------------------------------------------------------===//
312 // Loading values from regions.
313 //===------------------------------------------------------------------===//
314
315 /// The high level logic for this method is this:
316 /// Retrieve (L)
317 /// if L has binding
318 /// return L's binding
319 /// else if L is in killset
320 /// return unknown
321 /// else
322 /// if L is on stack or heap
323 /// return undefined
324 /// else
325 /// return symbolic
326 SVal Retrieve(Store store, Loc L, QualType T = QualType());
327
328 SVal RetrieveElement(Store store, const ElementRegion *R);
329
330 SVal RetrieveField(Store store, const FieldRegion *R);
331
332 SVal RetrieveObjCIvar(Store store, const ObjCIvarRegion *R);
333
334 SVal RetrieveVar(Store store, const VarRegion *R);
335
336 SVal RetrieveLazySymbol(const TypedRegion *R);
337
338 SVal RetrieveFieldOrElementCommon(Store store, const TypedRegion *R,
339 QualType Ty, const MemRegion *superR);
340
341 /// Retrieve the values in a struct and return a CompoundVal, used when doing
342 /// struct copy:
343 /// struct s x, y;
344 /// x = y;
345 /// y's value is retrieved by this method.
346 SVal RetrieveStruct(Store store, const TypedRegion* R);
347
348 SVal RetrieveArray(Store store, const TypedRegion* R);
349
350 /// Get the state and region whose binding this region R corresponds to.
351 std::pair<Store, const MemRegion*>
352 GetLazyBinding(RegionBindings B, const MemRegion *R);
353
354 Store CopyLazyBindings(nonloc::LazyCompoundVal V, Store store,
355 const TypedRegion *R);
356
357 const ElementRegion *GetElementZeroRegion(const MemRegion *R, QualType T);
358
359 //===------------------------------------------------------------------===//
360 // State pruning.
361 //===------------------------------------------------------------------===//
362
363 /// RemoveDeadBindings - Scans the RegionStore of 'state' for dead values.
364 /// It returns a new Store with these values removed.
365 Store RemoveDeadBindings(Store store, Stmt* Loc, SymbolReaper& SymReaper,
366 llvm::SmallVectorImpl<const MemRegion*>& RegionRoots);
367
368 const GRState *EnterStackFrame(const GRState *state,
369 const StackFrameContext *frame);
370
371 //===------------------------------------------------------------------===//
372 // Region "extents".
373 //===------------------------------------------------------------------===//
374
375 const GRState *setExtent(const GRState *state,const MemRegion* R,SVal Extent);
376 DefinedOrUnknownSVal getSizeInElements(const GRState *state,
377 const MemRegion* R, QualType EleTy);
378
379 //===------------------------------------------------------------------===//
380 // Utility methods.
381 //===------------------------------------------------------------------===//
382
383 static inline RegionBindings GetRegionBindings(Store store) {
384 return RegionBindings(static_cast<const RegionBindings::TreeTy*>(store));
385 }
386
387 void print(Store store, llvm::raw_ostream& Out, const char* nl,
388 const char *sep);
389
390 void iterBindings(Store store, BindingsHandler& f) {
391 // FIXME: Implement.
392 }
393
394 // FIXME: Remove.
395 BasicValueFactory& getBasicVals() {
396 return StateMgr.getBasicVals();
397 }
398
399 // FIXME: Remove.
400 ASTContext& getContext() { return StateMgr.getContext(); }
401};
402
403} // end anonymous namespace
404
405//===----------------------------------------------------------------------===//
406// RegionStore creation.
407//===----------------------------------------------------------------------===//
408
409StoreManager *clang::CreateRegionStoreManager(GRStateManager& StMgr) {
410 RegionStoreFeatures F = maximal_features_tag();
411 return new RegionStoreManager(StMgr, F);
412}
413
414StoreManager *clang::CreateFieldsOnlyRegionStoreManager(GRStateManager &StMgr) {
415 RegionStoreFeatures F = minimal_features_tag();
416 F.enableFields(true);
417 return new RegionStoreManager(StMgr, F);
418}
419
420void
421RegionStoreSubRegionMap::process(llvm::SmallVectorImpl<const SubRegion*> &WL,
422 const SubRegion *R) {
423 const MemRegion *superR = R->getSuperRegion();
424 if (add(superR, R))
425 if (const SubRegion *sr = dyn_cast<SubRegion>(superR))
426 WL.push_back(sr);
427}
428
429RegionStoreSubRegionMap*
430RegionStoreManager::getRegionStoreSubRegionMap(Store store) {
431 RegionBindings B = GetRegionBindings(store);
432 RegionStoreSubRegionMap *M = new RegionStoreSubRegionMap();
433
434 llvm::SmallVector<const SubRegion*, 10> WL;
435
436 for (RegionBindings::iterator I=B.begin(), E=B.end(); I!=E; ++I)
437 if (const SubRegion *R = dyn_cast<SubRegion>(I.getKey().getRegion()))
438 M->process(WL, R);
439
440 // We also need to record in the subregion map "intermediate" regions that
441 // don't have direct bindings but are super regions of those that do.
442 while (!WL.empty()) {
443 const SubRegion *R = WL.back();
444 WL.pop_back();
445 M->process(WL, R);
446 }
447
448 return M;
449}
450
451//===----------------------------------------------------------------------===//
452// Binding invalidation.
453//===----------------------------------------------------------------------===//
454
455void RegionStoreManager::RemoveSubRegionBindings(RegionBindings &B,
456 const MemRegion *R,
457 RegionStoreSubRegionMap &M) {
458
459 if (const RegionStoreSubRegionMap::Set *S = M.getSubRegions(R))
460 for (RegionStoreSubRegionMap::Set::iterator I = S->begin(), E = S->end();
461 I != E; ++I)
462 RemoveSubRegionBindings(B, *I, M);
463
464 B = Remove(B, R);
465}
466
467namespace {
468class InvalidateRegionsWorker {
469 typedef BumpVector<BindingKey> RegionCluster;
470 typedef llvm::DenseMap<const MemRegion *, RegionCluster *> ClusterMap;
471 typedef llvm::SmallVector<std::pair<const MemRegion *,RegionCluster*>, 10>
472 WorkList;
473
474 BumpVectorContext BVC;
475 ClusterMap ClusterM;
476 WorkList WL;
477public:
478 Store InvalidateRegions(RegionStoreManager &RM, Store store,
479 const MemRegion * const *I,const MemRegion * const *E,
480 const Expr *Ex, unsigned Count,
481 StoreManager::InvalidatedSymbols *IS,
482 ASTContext &Ctx, ValueManager &ValMgr);
483
484private:
485 void AddToWorkList(BindingKey K);
486 void AddToWorkList(const MemRegion *R);
487 void AddToCluster(BindingKey K);
488 RegionCluster **getCluster(const MemRegion *R);
489};
490}
491
492void InvalidateRegionsWorker::AddToCluster(BindingKey K) {
493 const MemRegion *R = K.getRegion();
494 const MemRegion *baseR = R->getBaseRegion();
495 RegionCluster **CPtr = getCluster(baseR);
496 assert(*CPtr);
497 (*CPtr)->push_back(K, BVC);
498}
499
500void InvalidateRegionsWorker::AddToWorkList(BindingKey K) {
501 AddToWorkList(K.getRegion());
502}
503
504void InvalidateRegionsWorker::AddToWorkList(const MemRegion *R) {
505 const MemRegion *baseR = R->getBaseRegion();
506 RegionCluster **CPtr = getCluster(baseR);
507 if (RegionCluster *C = *CPtr) {
508 WL.push_back(std::make_pair(baseR, C));
509 *CPtr = NULL;
510 }
511}
512
513InvalidateRegionsWorker::RegionCluster **
514InvalidateRegionsWorker::getCluster(const MemRegion *R) {
515 RegionCluster *&CRef = ClusterM[R];
516 if (!CRef) {
517 void *Mem = BVC.getAllocator().Allocate<RegionCluster>();
518 CRef = new (Mem) RegionCluster(BVC, 10);
519 }
520 return &CRef;
521}
522
523Store InvalidateRegionsWorker::InvalidateRegions(RegionStoreManager &RM,
524 Store store,
525 const MemRegion * const *I,
526 const MemRegion * const *E,
527 const Expr *Ex, unsigned Count,
528 StoreManager::InvalidatedSymbols *IS,
529 ASTContext &Ctx,
530 ValueManager &ValMgr) {
531 RegionBindings B = RegionStoreManager::GetRegionBindings(store);
532
533 // Scan the entire store and make the region clusters.
534 for (RegionBindings::iterator RI = B.begin(), RE = B.end(); RI != RE; ++RI) {
535 AddToCluster(RI.getKey());
536 if (const MemRegion *R = RI.getData().getAsRegion()) {
537 // Generate a cluster, but don't add the region to the cluster
538 // if there aren't any bindings.
539 getCluster(R->getBaseRegion());
540 }
541 }
542
543 // Add the cluster for I .. E to a worklist.
544 for ( ; I != E; ++I)
545 AddToWorkList(*I);
546
547 while (!WL.empty()) {
548 const MemRegion *baseR;
549 RegionCluster *C;
550 llvm::tie(baseR, C) = WL.back();
551 WL.pop_back();
552
553 for (RegionCluster::iterator I = C->begin(), E = C->end(); I != E; ++I) {
554 BindingKey K = *I;
555
556 // Get the old binding. Is it a region? If so, add it to the worklist.
557 if (const SVal *V = RM.Lookup(B, K)) {
558 if (const MemRegion *R = V->getAsRegion())
559 AddToWorkList(R);
560
561 // A symbol? Mark it touched by the invalidation.
562 if (IS)
563 if (SymbolRef Sym = V->getAsSymbol())
564 IS->insert(Sym);
565 }
566
567 B = RM.Remove(B, K);
568 }
569
570 // Now inspect the base region.
571
572 if (IS) {
573 // Symbolic region? Mark that symbol touched by the invalidation.
574 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(baseR))
575 IS->insert(SR->getSymbol());
576 }
577
578 // BlockDataRegion? If so, invalidate captured variables that are passed
579 // by reference.
580 if (const BlockDataRegion *BR = dyn_cast<BlockDataRegion>(baseR)) {
581 for (BlockDataRegion::referenced_vars_iterator
582 BI = BR->referenced_vars_begin(), BE = BR->referenced_vars_end() ;
583 BI != BE; ++BI) {
584 const VarRegion *VR = *BI;
585 const VarDecl *VD = VR->getDecl();
586 if (VD->getAttr<BlocksAttr>() || !VD->hasLocalStorage())
587 AddToWorkList(VR);
588 }
589 continue;
590 }
591
592 if (isa<AllocaRegion>(baseR) || isa<SymbolicRegion>(baseR)) {
593 // Invalidate the region by setting its default value to
594 // conjured symbol. The type of the symbol is irrelavant.
595 DefinedOrUnknownSVal V = ValMgr.getConjuredSymbolVal(baseR, Ex, Ctx.IntTy,
596 Count);
597 B = RM.Add(B, baseR, BindingKey::Default, V);
598 continue;
599 }
600
601 if (!baseR->isBoundable())
602 continue;
603
604 const TypedRegion *TR = cast<TypedRegion>(baseR);
605 QualType T = TR->getValueType(Ctx);
606
607 // Invalidate the binding.
608 if (const RecordType *RT = T->getAsStructureType()) {
609 const RecordDecl *RD = RT->getDecl()->getDefinition(Ctx);
610 // No record definition. There is nothing we can do.
611 if (!RD) {
612 B = RM.Remove(B, baseR);
613 continue;
614 }
615
616 // Invalidate the region by setting its default value to
617 // conjured symbol. The type of the symbol is irrelavant.
618 DefinedOrUnknownSVal V = ValMgr.getConjuredSymbolVal(baseR, Ex, Ctx.IntTy,
619 Count);
620 B = RM.Add(B, baseR, BindingKey::Default, V);
621 continue;
622 }
623
624 if (const ArrayType *AT = Ctx.getAsArrayType(T)) {
625 // Set the default value of the array to conjured symbol.
626 DefinedOrUnknownSVal V =
627 ValMgr.getConjuredSymbolVal(baseR, Ex, AT->getElementType(), Count);
628 B = RM.Add(B, baseR, BindingKey::Default, V);
629 continue;
630 }
631
632 DefinedOrUnknownSVal V = ValMgr.getConjuredSymbolVal(baseR, Ex, T, Count);
633 assert(SymbolManager::canSymbolicate(T) || V.isUnknown());
634 B = RM.Add(B, baseR, BindingKey::Direct, V);
635 }
636
637 // Create a new state with the updated bindings.
638 return B.getRoot();
639}
640
641Store RegionStoreManager::InvalidateRegions(Store store,
642 const MemRegion * const *I,
643 const MemRegion * const *E,
644 const Expr *Ex, unsigned Count,
645 InvalidatedSymbols *IS) {
646 InvalidateRegionsWorker W;
647 return W.InvalidateRegions(*this, store, I, E, Ex, Count, IS, getContext(),
648 StateMgr.getValueManager());
649}
650
651//===----------------------------------------------------------------------===//
652// Extents for regions.
653//===----------------------------------------------------------------------===//
654
655DefinedOrUnknownSVal RegionStoreManager::getSizeInElements(const GRState *state,
656 const MemRegion *R,
657 QualType EleTy) {
658
659 switch (R->getKind()) {
660 case MemRegion::CXXThisRegionKind:
661 assert(0 && "Cannot get size of 'this' region");
662 case MemRegion::GenericMemSpaceRegionKind:
663 case MemRegion::StackLocalsSpaceRegionKind:
664 case MemRegion::StackArgumentsSpaceRegionKind:
665 case MemRegion::HeapSpaceRegionKind:
666 case MemRegion::GlobalsSpaceRegionKind:
667 case MemRegion::UnknownSpaceRegionKind:
668 assert(0 && "Cannot index into a MemSpace");
669 return UnknownVal();
670
671 case MemRegion::FunctionTextRegionKind:
672 case MemRegion::BlockTextRegionKind:
673 case MemRegion::BlockDataRegionKind:
674 // Technically this can happen if people do funny things with casts.
675 return UnknownVal();
676
677 // Not yet handled.
678 case MemRegion::AllocaRegionKind:
679 case MemRegion::CompoundLiteralRegionKind:
680 case MemRegion::ElementRegionKind:
681 case MemRegion::FieldRegionKind:
682 case MemRegion::ObjCIvarRegionKind:
683 case MemRegion::CXXObjectRegionKind:
684 return UnknownVal();
685
686 case MemRegion::SymbolicRegionKind: {
687 const SVal *Size = state->get<RegionExtents>(R);
688 if (!Size)
689 return UnknownVal();
690 const nonloc::ConcreteInt *CI = dyn_cast<nonloc::ConcreteInt>(Size);
691 if (!CI)
692 return UnknownVal();
693
694 CharUnits RegionSize =
695 CharUnits::fromQuantity(CI->getValue().getSExtValue());
696 CharUnits EleSize = getContext().getTypeSizeInChars(EleTy);
697 assert(RegionSize % EleSize == 0);
698
699 return ValMgr.makeIntVal(RegionSize / EleSize, false);
700 }
701
702 case MemRegion::StringRegionKind: {
703 const StringLiteral* Str = cast<StringRegion>(R)->getStringLiteral();
704 // We intentionally made the size value signed because it participates in
705 // operations with signed indices.
706 return ValMgr.makeIntVal(Str->getByteLength()+1, false);
707 }
708
709 case MemRegion::VarRegionKind: {
710 const VarRegion* VR = cast<VarRegion>(R);
711 // Get the type of the variable.
712 QualType T = VR->getDesugaredValueType(getContext());
713
714 // FIXME: Handle variable-length arrays.
715 if (isa<VariableArrayType>(T))
716 return UnknownVal();
717
718 if (const ConstantArrayType* CAT = dyn_cast<ConstantArrayType>(T)) {
719 // return the size as signed integer.
720 return ValMgr.makeIntVal(CAT->getSize(), false);
721 }
722
723 // Clients can use ordinary variables as if they were arrays. These
724 // essentially are arrays of size 1.
725 return ValMgr.makeIntVal(1, false);
726 }
727 }
728
729 assert(0 && "Unreachable");
730 return UnknownVal();
731}
732
733const GRState *RegionStoreManager::setExtent(const GRState *state,
734 const MemRegion *region,
735 SVal extent) {
736 return state->set<RegionExtents>(region, extent);
737}
738
739//===----------------------------------------------------------------------===//
740// Location and region casting.
741//===----------------------------------------------------------------------===//
742
743/// ArrayToPointer - Emulates the "decay" of an array to a pointer
744/// type. 'Array' represents the lvalue of the array being decayed
745/// to a pointer, and the returned SVal represents the decayed
746/// version of that lvalue (i.e., a pointer to the first element of
747/// the array). This is called by GRExprEngine when evaluating casts
748/// from arrays to pointers.
749SVal RegionStoreManager::ArrayToPointer(Loc Array) {
750 if (!isa<loc::MemRegionVal>(Array))
751 return UnknownVal();
752
753 const MemRegion* R = cast<loc::MemRegionVal>(&Array)->getRegion();
754 const TypedRegion* ArrayR = dyn_cast<TypedRegion>(R);
755
756 if (!ArrayR)
757 return UnknownVal();
758
759 // Strip off typedefs from the ArrayRegion's ValueType.
760 QualType T = ArrayR->getValueType(getContext()).getDesugaredType();
761 ArrayType *AT = cast<ArrayType>(T);
762 T = AT->getElementType();
763
764 SVal ZeroIdx = ValMgr.makeZeroArrayIndex();
765 return loc::MemRegionVal(MRMgr.getElementRegion(T, ZeroIdx, ArrayR,
766 getContext()));
767}
768
769//===----------------------------------------------------------------------===//
770// Pointer arithmetic.
771//===----------------------------------------------------------------------===//
772
773SVal RegionStoreManager::EvalBinOp(BinaryOperator::Opcode Op, Loc L, NonLoc R,
774 QualType resultTy) {
775 // Assume the base location is MemRegionVal.
776 if (!isa<loc::MemRegionVal>(L))
777 return UnknownVal();
778
779 const MemRegion* MR = cast<loc::MemRegionVal>(L).getRegion();
780 const ElementRegion *ER = 0;
781
782 switch (MR->getKind()) {
783 case MemRegion::SymbolicRegionKind: {
784 const SymbolicRegion *SR = cast<SymbolicRegion>(MR);
785 SymbolRef Sym = SR->getSymbol();
786 QualType T = Sym->getType(getContext());
787 QualType EleTy;
788
789 if (const PointerType *PT = T->getAs<PointerType>())
790 EleTy = PT->getPointeeType();
791 else
792 EleTy = T->getAs<ObjCObjectPointerType>()->getPointeeType();
793
794 SVal ZeroIdx = ValMgr.makeZeroArrayIndex();
795 ER = MRMgr.getElementRegion(EleTy, ZeroIdx, SR, getContext());
796 break;
797 }
798 case MemRegion::AllocaRegionKind: {
799 const AllocaRegion *AR = cast<AllocaRegion>(MR);
800 QualType T = getContext().CharTy; // Create an ElementRegion of bytes.
801 QualType EleTy = T->getAs<PointerType>()->getPointeeType();
802 SVal ZeroIdx = ValMgr.makeZeroArrayIndex();
803 ER = MRMgr.getElementRegion(EleTy, ZeroIdx, AR, getContext());
804 break;
805 }
806
807 case MemRegion::ElementRegionKind: {
808 ER = cast<ElementRegion>(MR);
809 break;
810 }
811
812 // Not yet handled.
813 case MemRegion::VarRegionKind:
814 case MemRegion::StringRegionKind: {
815
816 }
817 // Fall-through.
818 case MemRegion::CompoundLiteralRegionKind:
819 case MemRegion::FieldRegionKind:
820 case MemRegion::ObjCIvarRegionKind:
821 case MemRegion::CXXObjectRegionKind:
822 return UnknownVal();
823
824 case MemRegion::FunctionTextRegionKind:
825 case MemRegion::BlockTextRegionKind:
826 case MemRegion::BlockDataRegionKind:
827 // Technically this can happen if people do funny things with casts.
828 return UnknownVal();
829
830 case MemRegion::CXXThisRegionKind:
831 assert(0 &&
832 "Cannot perform pointer arithmetic on implicit argument 'this'");
833 case MemRegion::GenericMemSpaceRegionKind:
834 case MemRegion::StackLocalsSpaceRegionKind:
835 case MemRegion::StackArgumentsSpaceRegionKind:
836 case MemRegion::HeapSpaceRegionKind:
837 case MemRegion::GlobalsSpaceRegionKind:
838 case MemRegion::UnknownSpaceRegionKind:
839 assert(0 && "Cannot perform pointer arithmetic on a MemSpace");
840 return UnknownVal();
841 }
842
843 SVal Idx = ER->getIndex();
844 nonloc::ConcreteInt* Base = dyn_cast<nonloc::ConcreteInt>(&Idx);
845
846 // For now, only support:
847 // (a) concrete integer indices that can easily be resolved
848 // (b) 0 + symbolic index
849 if (Base) {
850 if (nonloc::ConcreteInt *Offset = dyn_cast<nonloc::ConcreteInt>(&R)) {
851 // FIXME: Should use SValuator here.
852 SVal NewIdx =
853 Base->evalBinOp(ValMgr, Op,
854 cast<nonloc::ConcreteInt>(ValMgr.convertToArrayIndex(*Offset)));
855 const MemRegion* NewER =
856 MRMgr.getElementRegion(ER->getElementType(), NewIdx,
857 ER->getSuperRegion(), getContext());
858 return ValMgr.makeLoc(NewER);
859 }
860 if (0 == Base->getValue()) {
861 const MemRegion* NewER =
862 MRMgr.getElementRegion(ER->getElementType(), R,
863 ER->getSuperRegion(), getContext());
864 return ValMgr.makeLoc(NewER);
865 }
866 }
867
868 return UnknownVal();
869}
870
871//===----------------------------------------------------------------------===//
872// Loading values from regions.
873//===----------------------------------------------------------------------===//
874
875Optional<SVal> RegionStoreManager::getDirectBinding(RegionBindings B,
876 const MemRegion *R) {
877 if (const SVal *V = Lookup(B, R, BindingKey::Direct))
878 return *V;
879
880 return Optional<SVal>();
881}
882
883Optional<SVal> RegionStoreManager::getDefaultBinding(RegionBindings B,
884 const MemRegion *R) {
885 if (R->isBoundable())
886 if (const TypedRegion *TR = dyn_cast<TypedRegion>(R))
887 if (TR->getValueType(getContext())->isUnionType())
888 return UnknownVal();
889
890 if (const SVal *V = Lookup(B, R, BindingKey::Default))
891 return *V;
892
893 return Optional<SVal>();
894}
895
896Optional<SVal> RegionStoreManager::getBinding(RegionBindings B,
897 const MemRegion *R) {
898
899 if (Optional<SVal> V = getDirectBinding(B, R))
900 return V;
901
902 return getDefaultBinding(B, R);
903}
904
905static bool IsReinterpreted(QualType RTy, QualType UsedTy, ASTContext &Ctx) {
906 RTy = Ctx.getCanonicalType(RTy);
907 UsedTy = Ctx.getCanonicalType(UsedTy);
908
909 if (RTy == UsedTy)
910 return false;
911
912
913 // Recursively check the types. We basically want to see if a pointer value
914 // is ever reinterpreted as a non-pointer, e.g. void** and intptr_t*
915 // represents a reinterpretation.
916 if (Loc::IsLocType(RTy) && Loc::IsLocType(UsedTy)) {
917 const PointerType *PRTy = RTy->getAs<PointerType>();
918 const PointerType *PUsedTy = UsedTy->getAs<PointerType>();
919
920 return PUsedTy && PRTy &&
921 IsReinterpreted(PRTy->getPointeeType(),
922 PUsedTy->getPointeeType(), Ctx);
923 }
924
925 return true;
926}
927
928const ElementRegion *
929RegionStoreManager::GetElementZeroRegion(const MemRegion *R, QualType T) {
930 ASTContext &Ctx = getContext();
931 SVal idx = ValMgr.makeZeroArrayIndex();
932 assert(!T.isNull());
933 return MRMgr.getElementRegion(T, idx, R, Ctx);
934}
935
936SVal RegionStoreManager::Retrieve(Store store, Loc L, QualType T) {
937 assert(!isa<UnknownVal>(L) && "location unknown");
938 assert(!isa<UndefinedVal>(L) && "location undefined");
939
940 // FIXME: Is this even possible? Shouldn't this be treated as a null
941 // dereference at a higher level?
942 if (isa<loc::ConcreteInt>(L))
943 return UndefinedVal();
944
945 const MemRegion *MR = cast<loc::MemRegionVal>(L).getRegion();
946
947 if (isa<AllocaRegion>(MR) || isa<SymbolicRegion>(MR))
948 MR = GetElementZeroRegion(MR, T);
949
950 if (isa<CodeTextRegion>(MR))
951 return UnknownVal();
952
953 // FIXME: Perhaps this method should just take a 'const MemRegion*' argument
954 // instead of 'Loc', and have the other Loc cases handled at a higher level.
955 const TypedRegion *R = cast<TypedRegion>(MR);
956 QualType RTy = R->getValueType(getContext());
957
958 // FIXME: We should eventually handle funny addressing. e.g.:
959 //
960 // int x = ...;
961 // int *p = &x;
962 // char *q = (char*) p;
963 // char c = *q; // returns the first byte of 'x'.
964 //
965 // Such funny addressing will occur due to layering of regions.
966
967#if 0
968 ASTContext &Ctx = getContext();
969 if (!T.isNull() && IsReinterpreted(RTy, T, Ctx)) {
970 SVal ZeroIdx = ValMgr.makeZeroArrayIndex();
971 R = MRMgr.getElementRegion(T, ZeroIdx, R, Ctx);
972 RTy = T;
973 assert(Ctx.getCanonicalType(RTy) ==
974 Ctx.getCanonicalType(R->getValueType(Ctx)));
975 }
976#endif
977
978 if (RTy->isStructureType())
979 return RetrieveStruct(store, R);
980
981 // FIXME: Handle unions.
982 if (RTy->isUnionType())
983 return UnknownVal();
984
985 if (RTy->isArrayType())
986 return RetrieveArray(store, R);
987
988 // FIXME: handle Vector types.
989 if (RTy->isVectorType())
990 return UnknownVal();
991
992 if (const FieldRegion* FR = dyn_cast<FieldRegion>(R))
993 return CastRetrievedVal(RetrieveField(store, FR), FR, T, false);
994
995 if (const ElementRegion* ER = dyn_cast<ElementRegion>(R)) {
996 // FIXME: Here we actually perform an implicit conversion from the loaded
997 // value to the element type. Eventually we want to compose these values
998 // more intelligently. For example, an 'element' can encompass multiple
999 // bound regions (e.g., several bound bytes), or could be a subset of
1000 // a larger value.
1001 return CastRetrievedVal(RetrieveElement(store, ER), ER, T, false);
1002 }
1003
1004 if (const ObjCIvarRegion *IVR = dyn_cast<ObjCIvarRegion>(R)) {
1005 // FIXME: Here we actually perform an implicit conversion from the loaded
1006 // value to the ivar type. What we should model is stores to ivars
1007 // that blow past the extent of the ivar. If the address of the ivar is
1008 // reinterpretted, it is possible we stored a different value that could
1009 // fit within the ivar. Either we need to cast these when storing them
1010 // or reinterpret them lazily (as we do here).
1011 return CastRetrievedVal(RetrieveObjCIvar(store, IVR), IVR, T, false);
1012 }
1013
1014 if (const VarRegion *VR = dyn_cast<VarRegion>(R)) {
1015 // FIXME: Here we actually perform an implicit conversion from the loaded
1016 // value to the variable type. What we should model is stores to variables
1017 // that blow past the extent of the variable. If the address of the
1018 // variable is reinterpretted, it is possible we stored a different value
1019 // that could fit within the variable. Either we need to cast these when
1020 // storing them or reinterpret them lazily (as we do here).
1021 return CastRetrievedVal(RetrieveVar(store, VR), VR, T, false);
1022 }
1023
1024 RegionBindings B = GetRegionBindings(store);
1025 const SVal *V = Lookup(B, R, BindingKey::Direct);
1026
1027 // Check if the region has a binding.
1028 if (V)
1029 return *V;
1030
1031 // The location does not have a bound value. This means that it has
1032 // the value it had upon its creation and/or entry to the analyzed
1033 // function/method. These are either symbolic values or 'undefined'.
1034 if (R->hasStackNonParametersStorage()) {
1035 // All stack variables are considered to have undefined values
1036 // upon creation. All heap allocated blocks are considered to
1037 // have undefined values as well unless they are explicitly bound
1038 // to specific values.
1039 return UndefinedVal();
1040 }
1041
1042 // All other values are symbolic.
1043 return ValMgr.getRegionValueSymbolVal(R, RTy);
1044}
1045
1046std::pair<Store, const MemRegion *>
1047RegionStoreManager::GetLazyBinding(RegionBindings B, const MemRegion *R) {
1048 if (Optional<SVal> OV = getDirectBinding(B, R))
1049 if (const nonloc::LazyCompoundVal *V =
1050 dyn_cast<nonloc::LazyCompoundVal>(OV.getPointer()))
1051 return std::make_pair(V->getStore(), V->getRegion());
1052
1053 if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
1054 const std::pair<Store, const MemRegion *> &X =
1055 GetLazyBinding(B, ER->getSuperRegion());
1056
1057 if (X.second)
1058 return std::make_pair(X.first,
1059 MRMgr.getElementRegionWithSuper(ER, X.second));
1060 }
1061 else if (const FieldRegion *FR = dyn_cast<FieldRegion>(R)) {
1062 const std::pair<Store, const MemRegion *> &X =
1063 GetLazyBinding(B, FR->getSuperRegion());
1064
1065 if (X.second)
1066 return std::make_pair(X.first,
1067 MRMgr.getFieldRegionWithSuper(FR, X.second));
1068 }
1069 // The NULL MemRegion indicates an non-existent lazy binding. A NULL Store is
1070 // possible for a valid lazy binding.
1071 return std::make_pair((Store) 0, (const MemRegion *) 0);
1072}
1073
1074SVal RegionStoreManager::RetrieveElement(Store store,
1075 const ElementRegion* R) {
1076 // Check if the region has a binding.
1077 RegionBindings B = GetRegionBindings(store);
1078 if (Optional<SVal> V = getDirectBinding(B, R))
1079 return *V;
1080
1081 const MemRegion* superR = R->getSuperRegion();
1082
1083 // Check if the region is an element region of a string literal.
1084 if (const StringRegion *StrR=dyn_cast<StringRegion>(superR)) {
1085 // FIXME: Handle loads from strings where the literal is treated as
1086 // an integer, e.g., *((unsigned int*)"hello")
1087 ASTContext &Ctx = getContext();
1088 QualType T = Ctx.getAsArrayType(StrR->getValueType(Ctx))->getElementType();
1089 if (T != Ctx.getCanonicalType(R->getElementType()))
1090 return UnknownVal();
1091
1092 const StringLiteral *Str = StrR->getStringLiteral();
1093 SVal Idx = R->getIndex();
1094 if (nonloc::ConcreteInt *CI = dyn_cast<nonloc::ConcreteInt>(&Idx)) {
1095 int64_t i = CI->getValue().getSExtValue();
1096 int64_t byteLength = Str->getByteLength();
1097 if (i > byteLength) {
1098 // Buffer overflow checking in GRExprEngine should handle this case,
1099 // but we shouldn't rely on it to not overflow here if that checking
1100 // is disabled.
1101 return UnknownVal();
1102 }
1103 char c = (i == byteLength) ? '\0' : Str->getStrData()[i];
1104 return ValMgr.makeIntVal(c, T);
1105 }
1106 }
1107
1108 // Check if the immediate super region has a direct binding.
1109 if (Optional<SVal> V = getDirectBinding(B, superR)) {
1110 if (SymbolRef parentSym = V->getAsSymbol())
1111 return ValMgr.getDerivedRegionValueSymbolVal(parentSym, R);
1112
1113 if (V->isUnknownOrUndef())
1114 return *V;
1115
1116 // Handle LazyCompoundVals for the immediate super region. Other cases
1117 // are handled in 'RetrieveFieldOrElementCommon'.
1118 if (const nonloc::LazyCompoundVal *LCV =
1119 dyn_cast<nonloc::LazyCompoundVal>(V)) {
1120
1121 R = MRMgr.getElementRegionWithSuper(R, LCV->getRegion());
1122 return RetrieveElement(LCV->getStore(), R);
1123 }
1124
1125 // Other cases: give up.
1126 return UnknownVal();
1127 }
1128
1129 return RetrieveFieldOrElementCommon(store, R, R->getElementType(), superR);
1130}
1131
1132SVal RegionStoreManager::RetrieveField(Store store,
1133 const FieldRegion* R) {
1134
1135 // Check if the region has a binding.
1136 RegionBindings B = GetRegionBindings(store);
1137 if (Optional<SVal> V = getDirectBinding(B, R))
1138 return *V;
1139
1140 QualType Ty = R->getValueType(getContext());
1141 return RetrieveFieldOrElementCommon(store, R, Ty, R->getSuperRegion());
1142}
1143
1144SVal RegionStoreManager::RetrieveFieldOrElementCommon(Store store,
1145 const TypedRegion *R,
1146 QualType Ty,
1147 const MemRegion *superR) {
1148
1149 // At this point we have already checked in either RetrieveElement or
1150 // RetrieveField if 'R' has a direct binding.
1151
1152 RegionBindings B = GetRegionBindings(store);
1153
1154 while (superR) {
1155 if (const Optional<SVal> &D = getDefaultBinding(B, superR)) {
1156 if (SymbolRef parentSym = D->getAsSymbol())
1157 return ValMgr.getDerivedRegionValueSymbolVal(parentSym, R);
1158
1159 if (D->isZeroConstant())
1160 return ValMgr.makeZeroVal(Ty);
1161
1162 if (D->isUnknown())
1163 return *D;
1164
1165 assert(0 && "Unknown default value");
1166 }
1167
1168 // If our super region is a field or element itself, walk up the region
1169 // hierarchy to see if there is a default value installed in an ancestor.
1170 if (isa<FieldRegion>(superR) || isa<ElementRegion>(superR)) {
1171 superR = cast<SubRegion>(superR)->getSuperRegion();
1172 continue;
1173 }
1174
1175 break;
1176 }
1177
1178 // Lazy binding?
1179 Store lazyBindingStore = NULL;
1180 const MemRegion *lazyBindingRegion = NULL;
1181 llvm::tie(lazyBindingStore, lazyBindingRegion) = GetLazyBinding(B, R);
1182
1183 if (lazyBindingRegion) {
1184 if (const ElementRegion *ER = dyn_cast<ElementRegion>(lazyBindingRegion))
1185 return RetrieveElement(lazyBindingStore, ER);
1186 return RetrieveField(lazyBindingStore,
1187 cast<FieldRegion>(lazyBindingRegion));
1188 }
1189
1190 if (R->hasStackNonParametersStorage()) {
1191 if (isa<ElementRegion>(R)) {
1192 // Currently we don't reason specially about Clang-style vectors. Check
1193 // if superR is a vector and if so return Unknown.
1194 if (const TypedRegion *typedSuperR = dyn_cast<TypedRegion>(superR)) {
1195 if (typedSuperR->getValueType(getContext())->isVectorType())
1196 return UnknownVal();
1197 }
1198 }
1199
1200 return UndefinedVal();
1201 }
1202
1203 // All other values are symbolic.
1204 return ValMgr.getRegionValueSymbolVal(R, Ty);
1205}
1206
1207SVal RegionStoreManager::RetrieveObjCIvar(Store store, const ObjCIvarRegion* R){
1208
1209 // Check if the region has a binding.
1210 RegionBindings B = GetRegionBindings(store);
1211
1212 if (Optional<SVal> V = getDirectBinding(B, R))
1213 return *V;
1214
1215 const MemRegion *superR = R->getSuperRegion();
1216
1217 // Check if the super region has a default binding.
1218 if (Optional<SVal> V = getDefaultBinding(B, superR)) {
1219 if (SymbolRef parentSym = V->getAsSymbol())
1220 return ValMgr.getDerivedRegionValueSymbolVal(parentSym, R);
1221
1222 // Other cases: give up.
1223 return UnknownVal();
1224 }
1225
1226 return RetrieveLazySymbol(R);
1227}
1228
1229SVal RegionStoreManager::RetrieveVar(Store store, const VarRegion *R) {
1230
1231 // Check if the region has a binding.
1232 RegionBindings B = GetRegionBindings(store);
1233
1234 if (Optional<SVal> V = getDirectBinding(B, R))
1235 return *V;
1236
1237 // Lazily derive a value for the VarRegion.
1238 const VarDecl *VD = R->getDecl();
1239 QualType T = VD->getType();
1240 const MemSpaceRegion *MS = R->getMemorySpace();
1241
1242 if (isa<UnknownSpaceRegion>(MS) ||
1243 isa<StackArgumentsSpaceRegion>(MS))
1244 return ValMgr.getRegionValueSymbolVal(R, T);
1245
1246 if (isa<GlobalsSpaceRegion>(MS)) {
1247 if (VD->isFileVarDecl())
1248 return ValMgr.getRegionValueSymbolVal(R, T);
1249
1250 if (T->isIntegerType())
1251 return ValMgr.makeIntVal(0, T);
1252 if (T->isPointerType())
1253 return ValMgr.makeNull();
1254
1255 return UnknownVal();
1256 }
1257
1258 return UndefinedVal();
1259}
1260
1261SVal RegionStoreManager::RetrieveLazySymbol(const TypedRegion *R) {
1262
1263 QualType valTy = R->getValueType(getContext());
1264
1265 // All other values are symbolic.
1266 return ValMgr.getRegionValueSymbolVal(R, valTy);
1267}
1268
1269SVal RegionStoreManager::RetrieveStruct(Store store, const TypedRegion* R) {
1270 QualType T = R->getValueType(getContext());
1271 assert(T->isStructureType());
1272
1273 const RecordType* RT = T->getAsStructureType();
1274 RecordDecl* RD = RT->getDecl();
1275 assert(RD->isDefinition());
1276 (void)RD;
1277#if USE_EXPLICIT_COMPOUND
1278 llvm::ImmutableList<SVal> StructVal = getBasicVals().getEmptySValList();
1279
1280 // FIXME: We shouldn't use a std::vector. If RecordDecl doesn't have a
1281 // reverse iterator, we should implement one.
1282 std::vector<FieldDecl *> Fields(RD->field_begin(), RD->field_end());
1283
1284 for (std::vector<FieldDecl *>::reverse_iterator Field = Fields.rbegin(),
1285 FieldEnd = Fields.rend();
1286 Field != FieldEnd; ++Field) {
1287 FieldRegion* FR = MRMgr.getFieldRegion(*Field, R);
1288 QualType FTy = (*Field)->getType();
1289 SVal FieldValue = Retrieve(store, loc::MemRegionVal(FR), FTy).getSVal();
1290 StructVal = getBasicVals().consVals(FieldValue, StructVal);
1291 }
1292
1293 return ValMgr.makeCompoundVal(T, StructVal);
1294#else
1295 return ValMgr.makeLazyCompoundVal(store, R);
1296#endif
1297}
1298
1299SVal RegionStoreManager::RetrieveArray(Store store, const TypedRegion * R) {
1300#if USE_EXPLICIT_COMPOUND
1301 QualType T = R->getValueType(getContext());
1302 ConstantArrayType* CAT = cast<ConstantArrayType>(T.getTypePtr());
1303
1304 llvm::ImmutableList<SVal> ArrayVal = getBasicVals().getEmptySValList();
1305 uint64_t size = CAT->getSize().getZExtValue();
1306 for (uint64_t i = 0; i < size; ++i) {
1307 SVal Idx = ValMgr.makeArrayIndex(i);
1308 ElementRegion* ER = MRMgr.getElementRegion(CAT->getElementType(), Idx, R,
1309 getContext());
1310 QualType ETy = ER->getElementType();
1311 SVal ElementVal = Retrieve(store, loc::MemRegionVal(ER), ETy).getSVal();
1312 ArrayVal = getBasicVals().consVals(ElementVal, ArrayVal);
1313 }
1314
1315 return ValMgr.makeCompoundVal(T, ArrayVal);
1316#else
1317 assert(isa<ConstantArrayType>(R->getValueType(getContext())));
1318 return ValMgr.makeLazyCompoundVal(store, R);
1319#endif
1320}
1321
1322//===----------------------------------------------------------------------===//
1323// Binding values to regions.
1324//===----------------------------------------------------------------------===//
1325
1326Store RegionStoreManager::Remove(Store store, Loc L) {
1327 if (isa<loc::MemRegionVal>(L))
1328 if (const MemRegion* R = cast<loc::MemRegionVal>(L).getRegion())
1329 return Remove(GetRegionBindings(store), R).getRoot();
1330
1331 return store;
1332}
1333
1334Store RegionStoreManager::Bind(Store store, Loc L, SVal V) {
1335 if (isa<loc::ConcreteInt>(L))
1336 return store;
1337
1338 // If we get here, the location should be a region.
1339 const MemRegion *R = cast<loc::MemRegionVal>(L).getRegion();
1340
1341 // Check if the region is a struct region.
1342 if (const TypedRegion* TR = dyn_cast<TypedRegion>(R))
1343 if (TR->getValueType(getContext())->isStructureType())
1344 return BindStruct(store, TR, V);
1345
1346 // Special case: the current region represents a cast and it and the super
1347 // region both have pointer types or intptr_t types. If so, perform the
1348 // bind to the super region.
1349 // This is needed to support OSAtomicCompareAndSwap and friends or other
1350 // loads that treat integers as pointers and vis versa.
1351 if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
1352 if (ER->getIndex().isZeroConstant()) {
1353 if (const TypedRegion *superR =
1354 dyn_cast<TypedRegion>(ER->getSuperRegion())) {
1355 ASTContext &Ctx = getContext();
1356 QualType superTy = superR->getValueType(Ctx);
1357 QualType erTy = ER->getValueType(Ctx);
1358
1359 if (IsAnyPointerOrIntptr(superTy, Ctx) &&
1360 IsAnyPointerOrIntptr(erTy, Ctx)) {
1361 V = ValMgr.getSValuator().EvalCast(V, superTy, erTy);
1362 return Bind(store, loc::MemRegionVal(superR), V);
1363 }
1364 // For now, just invalidate the fields of the struct/union/class.
1365 // FIXME: Precisely handle the fields of the record.
1366 if (superTy->isRecordType())
1367 return InvalidateRegion(store, superR, NULL, 0, NULL);
1368 }
1369 }
1370 }
1371 else if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) {
1372 // Binding directly to a symbolic region should be treated as binding
1373 // to element 0.
1374 QualType T = SR->getSymbol()->getType(getContext());
1375
1376 // FIXME: Is this the right way to handle symbols that are references?
1377 if (const PointerType *PT = T->getAs<PointerType>())
1378 T = PT->getPointeeType();
1379 else
1380 T = T->getAs<ReferenceType>()->getPointeeType();
1381
1382 R = GetElementZeroRegion(SR, T);
1383 }
1384
1385 // Perform the binding.
1386 RegionBindings B = GetRegionBindings(store);
1387 return Add(B, R, BindingKey::Direct, V).getRoot();
1388}
1389
1390Store RegionStoreManager::BindDecl(Store store, const VarRegion *VR,
1391 SVal InitVal) {
1392
1393 QualType T = VR->getDecl()->getType();
1394
1395 if (T->isArrayType())
1396 return BindArray(store, VR, InitVal);
1397 if (T->isStructureType())
1398 return BindStruct(store, VR, InitVal);
1399
1400 return Bind(store, ValMgr.makeLoc(VR), InitVal);
1401}
1402
1403// FIXME: this method should be merged into Bind().
1404Store RegionStoreManager::BindCompoundLiteral(Store store,
1405 const CompoundLiteralExpr *CL,
1406 const LocationContext *LC,
1407 SVal V) {
1408 return Bind(store, loc::MemRegionVal(MRMgr.getCompoundLiteralRegion(CL, LC)),
1409 V);
1410}
1411
1412Store RegionStoreManager::setImplicitDefaultValue(Store store,
1413 const MemRegion *R,
1414 QualType T) {
1415 RegionBindings B = GetRegionBindings(store);
1416 SVal V;
1417
1418 if (Loc::IsLocType(T))
1419 V = ValMgr.makeNull();
1420 else if (T->isIntegerType())
1421 V = ValMgr.makeZeroVal(T);
1422 else if (T->isStructureType() || T->isArrayType()) {
1423 // Set the default value to a zero constant when it is a structure
1424 // or array. The type doesn't really matter.
1425 V = ValMgr.makeZeroVal(ValMgr.getContext().IntTy);
1426 }
1427 else {
1428 return store;
1429 }
1430
1431 return Add(B, R, BindingKey::Default, V).getRoot();
1432}
1433
1434Store RegionStoreManager::BindArray(Store store, const TypedRegion* R,
1435 SVal Init) {
1436
1437 ASTContext &Ctx = getContext();
1438 const ArrayType *AT =
1439 cast<ArrayType>(Ctx.getCanonicalType(R->getValueType(Ctx)));
1440 QualType ElementTy = AT->getElementType();
1441 Optional<uint64_t> Size;
1442
1443 if (const ConstantArrayType* CAT = dyn_cast<ConstantArrayType>(AT))
1444 Size = CAT->getSize().getZExtValue();
1445
1446 // Check if the init expr is a StringLiteral.
1447 if (isa<loc::MemRegionVal>(Init)) {
1448 const MemRegion* InitR = cast<loc::MemRegionVal>(Init).getRegion();
1449 const StringLiteral* S = cast<StringRegion>(InitR)->getStringLiteral();
1450 const char* str = S->getStrData();
1451 unsigned len = S->getByteLength();
1452 unsigned j = 0;
1453
1454 // Copy bytes from the string literal into the target array. Trailing bytes
1455 // in the array that are not covered by the string literal are initialized
1456 // to zero.
1457
1458 // We assume that string constants are bound to
1459 // constant arrays.
1460 uint64_t size = Size.getValue();
1461
1462 for (uint64_t i = 0; i < size; ++i, ++j) {
1463 if (j >= len)
1464 break;
1465
1466 SVal Idx = ValMgr.makeArrayIndex(i);
1467 const ElementRegion* ER = MRMgr.getElementRegion(ElementTy, Idx, R,
1468 getContext());
1469
1470 SVal V = ValMgr.makeIntVal(str[j], sizeof(char)*8, true);
1471 store = Bind(store, loc::MemRegionVal(ER), V);
1472 }
1473
1474 return store;
1475 }
1476
1477 // Handle lazy compound values.
1478 if (nonloc::LazyCompoundVal *LCV = dyn_cast<nonloc::LazyCompoundVal>(&Init))
1479 return CopyLazyBindings(*LCV, store, R);
1480
1481 // Remaining case: explicit compound values.
1482
1483 if (Init.isUnknown())
1484 return setImplicitDefaultValue(store, R, ElementTy);
1485
1486 nonloc::CompoundVal& CV = cast<nonloc::CompoundVal>(Init);
1487 nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end();
1488 uint64_t i = 0;
1489
1490 for (; Size.hasValue() ? i < Size.getValue() : true ; ++i, ++VI) {
1491 // The init list might be shorter than the array length.
1492 if (VI == VE)
1493 break;
1494
1495 SVal Idx = ValMgr.makeArrayIndex(i);
1496 const ElementRegion *ER = MRMgr.getElementRegion(ElementTy, Idx, R, getContext());
1497
1498 if (ElementTy->isStructureType())
1499 store = BindStruct(store, ER, *VI);
1500 else
1501 store = Bind(store, ValMgr.makeLoc(ER), *VI);
1502 }
1503
1504 // If the init list is shorter than the array length, set the
1505 // array default value.
1506 if (Size.hasValue() && i < Size.getValue())
1507 store = setImplicitDefaultValue(store, R, ElementTy);
1508
1509 return store;
1510}
1511
1512Store RegionStoreManager::BindStruct(Store store, const TypedRegion* R,
1513 SVal V) {
1514
1515 if (!Features.supportsFields())
1516 return store;
1517
1518 QualType T = R->getValueType(getContext());
1519 assert(T->isStructureType());
1520
1521 const RecordType* RT = T->getAs<RecordType>();
1522 RecordDecl* RD = RT->getDecl();
1523
1524 if (!RD->isDefinition())
1525 return store;
1526
1527 // Handle lazy compound values.
1528 if (const nonloc::LazyCompoundVal *LCV=dyn_cast<nonloc::LazyCompoundVal>(&V))
1529 return CopyLazyBindings(*LCV, store, R);
1530
1531 // We may get non-CompoundVal accidentally due to imprecise cast logic.
1532 // Ignore them and kill the field values.
1533 if (V.isUnknown() || !isa<nonloc::CompoundVal>(V))
1534 return KillStruct(store, R);
1535
1536 nonloc::CompoundVal& CV = cast<nonloc::CompoundVal>(V);
1537 nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end();
1538
1539 RecordDecl::field_iterator FI, FE;
1540
1541 for (FI = RD->field_begin(), FE = RD->field_end(); FI != FE; ++FI, ++VI) {
1542
1543 if (VI == VE)
1544 break;
1545
1546 QualType FTy = (*FI)->getType();
1547 const FieldRegion* FR = MRMgr.getFieldRegion(*FI, R);
1548
1549 if (FTy->isArrayType())
1550 store = BindArray(store, FR, *VI);
1551 else if (FTy->isStructureType())
1552 store = BindStruct(store, FR, *VI);
1553 else
1554 store = Bind(store, ValMgr.makeLoc(FR), *VI);
1555 }
1556
1557 // There may be fewer values in the initialize list than the fields of struct.
1558 if (FI != FE) {
1559 RegionBindings B = GetRegionBindings(store);
1560 B = Add(B, R, BindingKey::Default, ValMgr.makeIntVal(0, false));
1561 store = B.getRoot();
1562 }
1563
1564 return store;
1565}
1566
1567Store RegionStoreManager::KillStruct(Store store, const TypedRegion* R) {
1568 RegionBindings B = GetRegionBindings(store);
1569 llvm::OwningPtr<RegionStoreSubRegionMap>
1570 SubRegions(getRegionStoreSubRegionMap(store));
1571 RemoveSubRegionBindings(B, R, *SubRegions);
1572
1573 // Set the default value of the struct region to "unknown".
1574 return Add(B, R, BindingKey::Default, UnknownVal()).getRoot();
1575}
1576
1577Store RegionStoreManager::CopyLazyBindings(nonloc::LazyCompoundVal V,
1578 Store store, const TypedRegion *R) {
1579
1580 // Nuke the old bindings stemming from R.
1581 RegionBindings B = GetRegionBindings(store);
1582
1583 llvm::OwningPtr<RegionStoreSubRegionMap>
1584 SubRegions(getRegionStoreSubRegionMap(store));
1585
1586 // B and DVM are updated after the call to RemoveSubRegionBindings.
1587 RemoveSubRegionBindings(B, R, *SubRegions.get());
1588
1589 // Now copy the bindings. This amounts to just binding 'V' to 'R'. This
1590 // results in a zero-copy algorithm.
1591 return Add(B, R, BindingKey::Direct, V).getRoot();
1592}
1593
1594//===----------------------------------------------------------------------===//
1595// "Raw" retrievals and bindings.
1596//===----------------------------------------------------------------------===//
1597
1598BindingKey BindingKey::Make(const MemRegion *R, Kind k) {
1599 if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
1600 const RegionRawOffset &O = ER->getAsRawOffset();
1601
1602 if (O.getRegion())
1603 return BindingKey(O.getRegion(), O.getByteOffset(), k);
1604
1605 // FIXME: There are some ElementRegions for which we cannot compute
1606 // raw offsets yet, including regions with symbolic offsets.
1607 }
1608
1609 return BindingKey(R, 0, k);
1610}
1611
1612RegionBindings RegionStoreManager::Add(RegionBindings B, BindingKey K, SVal V) {
1613 return RBFactory.Add(B, K, V);
1614}
1615
1616RegionBindings RegionStoreManager::Add(RegionBindings B, const MemRegion *R,
1617 BindingKey::Kind k, SVal V) {
1618 return Add(B, BindingKey::Make(R, k), V);
1619}
1620
1621const SVal *RegionStoreManager::Lookup(RegionBindings B, BindingKey K) {
1622 return B.lookup(K);
1623}
1624
1625const SVal *RegionStoreManager::Lookup(RegionBindings B,
1626 const MemRegion *R,
1627 BindingKey::Kind k) {
1628 return Lookup(B, BindingKey::Make(R, k));
1629}
1630
1631RegionBindings RegionStoreManager::Remove(RegionBindings B, BindingKey K) {
1632 return RBFactory.Remove(B, K);
1633}
1634
1635RegionBindings RegionStoreManager::Remove(RegionBindings B, const MemRegion *R,
1636 BindingKey::Kind k){
1637 return Remove(B, BindingKey::Make(R, k));
1638}
1639
1640Store RegionStoreManager::Remove(Store store, BindingKey K) {
1641 RegionBindings B = GetRegionBindings(store);
1642 return Remove(B, K).getRoot();
1643}
1644
1645//===----------------------------------------------------------------------===//
1646// State pruning.
1647//===----------------------------------------------------------------------===//
1648
1649Store RegionStoreManager::RemoveDeadBindings(Store store, Stmt* Loc,
1650 SymbolReaper& SymReaper,
1651 llvm::SmallVectorImpl<const MemRegion*>& RegionRoots)
1652{
1653 typedef std::pair<Store, const MemRegion *> RBDNode;
1654
1655 RegionBindings B = GetRegionBindings(store);
1656
1657 // The backmap from regions to subregions.
1658 llvm::OwningPtr<RegionStoreSubRegionMap>
1659 SubRegions(getRegionStoreSubRegionMap(store));
1660
1661 // Do a pass over the regions in the store. For VarRegions we check if
1662 // the variable is still live and if so add it to the list of live roots.
1663 // For other regions we populate our region backmap.
1664 llvm::SmallVector<const MemRegion*, 10> IntermediateRoots;
1665
1666 // Scan the direct bindings for "intermediate" roots.
1667 for (RegionBindings::iterator I = B.begin(), E = B.end(); I != E; ++I) {
1668 const MemRegion *R = I.getKey().getRegion();
1669 IntermediateRoots.push_back(R);
1670 }
1671
1672 // Process the "intermediate" roots to find if they are referenced by
1673 // real roots.
1674 llvm::SmallVector<RBDNode, 10> WorkList;
1675 llvm::SmallVector<RBDNode, 10> Postponed;
1676
1677 llvm::DenseSet<const MemRegion*> IntermediateVisited;
1678
1679 while (!IntermediateRoots.empty()) {
1680 const MemRegion* R = IntermediateRoots.back();
1681 IntermediateRoots.pop_back();
1682
1683 if (IntermediateVisited.count(R))
1684 continue;
1685 IntermediateVisited.insert(R);
1686
1687 if (const VarRegion* VR = dyn_cast<VarRegion>(R)) {
1688 if (SymReaper.isLive(Loc, VR))
1689 WorkList.push_back(std::make_pair(store, VR));
1690 continue;
1691 }
1692
1693 if (const SymbolicRegion* SR = dyn_cast<SymbolicRegion>(R)) {
1694 llvm::SmallVectorImpl<RBDNode> &Q =
1695 SymReaper.isLive(SR->getSymbol()) ? WorkList : Postponed;
1696
1697 Q.push_back(std::make_pair(store, SR));
1698
1699 continue;
1700 }
1701
1702 // Add the super region for R to the worklist if it is a subregion.
1703 if (const SubRegion* superR =
1704 dyn_cast<SubRegion>(cast<SubRegion>(R)->getSuperRegion()))
1705 IntermediateRoots.push_back(superR);
1706 }
1707
1708 // Enqueue the RegionRoots onto WorkList.
1709 for (llvm::SmallVectorImpl<const MemRegion*>::iterator I=RegionRoots.begin(),
1710 E=RegionRoots.end(); I!=E; ++I) {
1711 WorkList.push_back(std::make_pair(store, *I));
1712 }
1713 RegionRoots.clear();
1714
1715 llvm::DenseSet<RBDNode> Visited;
1716
1717tryAgain:
1718 while (!WorkList.empty()) {
1719 RBDNode N = WorkList.back();
1720 WorkList.pop_back();
1721
1722 // Have we visited this node before?
1723 if (Visited.count(N))
1724 continue;
1725 Visited.insert(N);
1726
1727 const MemRegion *R = N.second;
1728 Store store_N = N.first;
1729
1730 // Enqueue subregions.
1731 RegionStoreSubRegionMap *M;
1732
1733 if (store == store_N)
1734 M = SubRegions.get();
1735 else {
1736 RegionStoreSubRegionMap *& SM = SC[store_N];
1737 if (!SM)
1738 SM = getRegionStoreSubRegionMap(store_N);
1739 M = SM;
1740 }
1741
1742 if (const RegionStoreSubRegionMap::Set *S = M->getSubRegions(R))
1743 for (RegionStoreSubRegionMap::Set::iterator I = S->begin(), E = S->end();
1744 I != E; ++I)
1745 WorkList.push_back(std::make_pair(store_N, *I));
1746
1747 // Enqueue the super region.
1748 if (const SubRegion *SR = dyn_cast<SubRegion>(R)) {
1749 const MemRegion *superR = SR->getSuperRegion();
1750 if (!isa<MemSpaceRegion>(superR)) {
1751 // If 'R' is a field or an element, we want to keep the bindings
1752 // for the other fields and elements around. The reason is that
1753 // pointer arithmetic can get us to the other fields or elements.
1754 assert(isa<FieldRegion>(R) || isa<ElementRegion>(R)
1755 || isa<ObjCIvarRegion>(R));
1756 WorkList.push_back(std::make_pair(store_N, superR));
1757 }
1758 }
1759
1760 // Mark the symbol for any live SymbolicRegion as "live". This means we
1761 // should continue to track that symbol.
1762 if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(R))
1763 SymReaper.markLive(SymR->getSymbol());
1764
1765 // For BlockDataRegions, enqueue the VarRegions for variables marked
1766 // with __block (passed-by-reference).
1767 // via BlockDeclRefExprs.
1768 if (const BlockDataRegion *BD = dyn_cast<BlockDataRegion>(R)) {
1769 for (BlockDataRegion::referenced_vars_iterator
1770 RI = BD->referenced_vars_begin(), RE = BD->referenced_vars_end();
1771 RI != RE; ++RI) {
1772 if ((*RI)->getDecl()->getAttr<BlocksAttr>())
1773 WorkList.push_back(std::make_pair(store_N, *RI));
1774 }
1775 // No possible data bindings on a BlockDataRegion. Continue to the
1776 // next region in the worklist.
1777 continue;
1778 }
1779
1780 RegionBindings B_N = GetRegionBindings(store_N);
1781
1782 // Get the data binding for R (if any).
1783 Optional<SVal> V = getBinding(B_N, R);
1784
1785 if (V) {
1786 // Check for lazy bindings.
1787 if (const nonloc::LazyCompoundVal *LCV =
1788 dyn_cast<nonloc::LazyCompoundVal>(V.getPointer())) {
1789
1790 const LazyCompoundValData *D = LCV->getCVData();
1791 WorkList.push_back(std::make_pair(D->getStore(), D->getRegion()));
1792 }
1793 else {
1794 // Update the set of live symbols.
1795 for (SVal::symbol_iterator SI=V->symbol_begin(), SE=V->symbol_end();
1796 SI!=SE;++SI)
1797 SymReaper.markLive(*SI);
1798
1799 // If V is a region, then add it to the worklist.
1800 if (const MemRegion *RX = V->getAsRegion())
1801 WorkList.push_back(std::make_pair(store_N, RX));
1802 }
1803 }
1804 }
1805
1806 // See if any postponed SymbolicRegions are actually live now, after
1807 // having done a scan.
1808 for (llvm::SmallVectorImpl<RBDNode>::iterator I = Postponed.begin(),
1809 E = Postponed.end() ; I != E ; ++I) {
1810 if (const SymbolicRegion *SR = cast_or_null<SymbolicRegion>(I->second)) {
1811 if (SymReaper.isLive(SR->getSymbol())) {
1812 WorkList.push_back(*I);
1813 I->second = NULL;
1814 }
1815 }
1816 }
1817
1818 if (!WorkList.empty())
1819 goto tryAgain;
1820
1821 // We have now scanned the store, marking reachable regions and symbols
1822 // as live. We now remove all the regions that are dead from the store
1823 // as well as update DSymbols with the set symbols that are now dead.
1824 Store new_store = store;
1825 for (RegionBindings::iterator I = B.begin(), E = B.end(); I != E; ++I) {
1826 const MemRegion* R = I.getKey().getRegion();
1827 // If this region live? Is so, none of its symbols are dead.
1828 if (Visited.count(std::make_pair(store, R)))
1829 continue;
1830
1831 // Remove this dead region from the store.
1832 new_store = Remove(new_store, I.getKey());
1833
1834 // Mark all non-live symbols that this region references as dead.
1835 if (const SymbolicRegion* SymR = dyn_cast<SymbolicRegion>(R))
1836 SymReaper.maybeDead(SymR->getSymbol());
1837
1838 SVal X = I.getData();
1839 SVal::symbol_iterator SI = X.symbol_begin(), SE = X.symbol_end();
1840 for (; SI != SE; ++SI)
1841 SymReaper.maybeDead(*SI);
1842 }
1843
1844 return new_store;
1845}
1846
1847GRState const *RegionStoreManager::EnterStackFrame(GRState const *state,
1848 StackFrameContext const *frame) {
1849 FunctionDecl const *FD = cast<FunctionDecl>(frame->getDecl());
1850 CallExpr const *CE = cast<CallExpr>(frame->getCallSite());
1851
1852 FunctionDecl::param_const_iterator PI = FD->param_begin();
1853
1854 CallExpr::const_arg_iterator AI = CE->arg_begin(), AE = CE->arg_end();
1855
1856 // Copy the arg expression value to the arg variables.
1857 Store store = state->getStore();
1858 for (; AI != AE; ++AI, ++PI) {
1859 SVal ArgVal = state->getSVal(*AI);
1860 store = Bind(store, ValMgr.makeLoc(MRMgr.getVarRegion(*PI, frame)), ArgVal);
1861 }
1862
1863 return state->makeWithStore(store);
1864}
1865
1866//===----------------------------------------------------------------------===//
1867// Utility methods.
1868//===----------------------------------------------------------------------===//
1869
1870void RegionStoreManager::print(Store store, llvm::raw_ostream& OS,
1871 const char* nl, const char *sep) {
1872 RegionBindings B = GetRegionBindings(store);
1873 OS << "Store (direct and default bindings):" << nl;
1874
1875 for (RegionBindings::iterator I = B.begin(), E = B.end(); I != E; ++I)
1876 OS << ' ' << I.getKey() << " : " << I.getData() << nl;
1877}