| blob | 782cd4f5e68b001be006346321fd292854a9241a |
1 // SimpleSValuator.cpp - A basic SValuator ------------------------*- C++ -*--//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file defines SimpleSValuator, a basic implementation of SValuator.
11 //
12 //===----------------------------------------------------------------------===//
38 /// getKnownValue - Evaluates a given SVal. If the SVal has only one possible
39 /// (integer) value, that value is returned. Otherwise, returns NULL.
44 };
49 }
51 //===----------------------------------------------------------------------===//
52 // Transfer function for Casts.
53 //===----------------------------------------------------------------------===//
63 // FIXME: Correctly support promotions/truncations.
70 }
78 // FIXME: Remove this hack when we support symbolic truncation/extension.
79 // HACK: If both castTy and T are integers, ignore the cast. This is
80 // not a permanent solution. Eventually we want to precisely handle
81 // extension/truncation of symbolic integers. This prevents us from losing
82 // precision when we assign 'x = y' and 'y' is symbolic and x and y are
83 // different integer types.
88 }
93 // Only handle casts from integers to integers.
103 else
105 }
109 // Casts from pointers -> pointers, just return the lval.
110 //
111 // Casts from pointers -> references, just return the lval. These
112 // can be introduced by the frontend for corner cases, e.g
113 // casting from va_list* to __builtin_va_list&.
114 //
118 // FIXME: Handle transparent unions where a value can be "transparently"
119 // lifted into a union type.
133 }
135 // All other cases: return 'UnknownVal'. This includes casting pointers
136 // to floats, which is probably badness it itself, but this is a good
137 // intermediate solution until we do something better.
139 }
141 //===----------------------------------------------------------------------===//
142 // Transfer function for unary operators.
143 //===----------------------------------------------------------------------===//
151 }
152 }
160 }
161 }
163 //===----------------------------------------------------------------------===//
164 // Transfer function for binary operators.
165 //===----------------------------------------------------------------------===//
177 }
178 }
191 }
192 }
197 QualType resultTy) {
200 // Check for a few special cases with known reductions first.
203 // We can't reduce this case; just treat it normally.
206 // a*0 and a*1
213 // a/0 and a/1
215 // This is also handled elsewhere.
221 // a%0 and a%1
223 // This is also handled elsewhere.
233 // a+0, a-0, a<<0, a>>0, a^0
238 // a&0 and a&(~0)
245 // a|0 and a|(~0)
252 }
254 }
256 // Idempotent ops (like a*1) can still change the type of an expression.
257 // Wrap the LHS up in a NonLoc again and let EvalCastNL do the dirty work.
262 }
264 // If we reach this point, the expression cannot be simplified.
265 // Make a SymExprVal for the entire thing.
267 }
272 QualType resultTy) {
273 // Handle trivial case where left-side and right-side are the same.
292 }
304 resultTy);
306 // Transform the integer into a location and compare.
312 }
320 // This case also handles pointer arithmetic.
322 }
323 }
324 }
328 // Only handle LHS of the form "$sym op constant", at least for now.
335 // Is this a logical not? (!x is represented as x == 0.)
337 // We know how to negate certain expressions. Simplify them here.
342 // We don't know how to negate this operation.
343 // Just handle it as if it were a normal comparison to 0.
373 // Negate the comparison and make a value.
378 }
379 }
381 // For now, only handle expressions whose RHS is a constant.
386 // If both the LHS and the current expression are additive,
387 // fold their constants.
393 // resultTy may not be the best type to convert to, but it's
394 // probably the best choice in expressions with mixed type
395 // (such as x+1U+2LL). The rules for implicit conversions should
396 // choose a reasonable type to preserve the expression, and will
397 // at least match how the value is going to be used.
406 else
409 }
410 }
412 // Otherwise, make a SymExprVal out of the expression.
414 }
423 // Swap the left and right sides and flip the operator if doing so
424 // allows us to better reason about the expression (this is a form
425 // of expression canonicalization).
426 // While we're at it, catch some special cases for non-commutative ops.
448 // At this point lhs and rhs have been swapped.
450 // FALL-THROUGH
453 // At this point lhs and rhs have been swapped.
458 }
459 }
460 }
467 // Does the symbol simplify to a constant? If so, "fold" the constant
468 // by setting 'lhs' to a ConcreteInt and try again.
471 // The symbol evaluates to a constant. If necessary, promote the
472 // folded constant (LHS) to the result type.
477 // Also promote the RHS (if necessary).
479 // For shifts, it is not necessary to promote the RHS.
483 // Other operators: do an implicit conversion. This shouldn't be
484 // necessary once we support truncation/extension of symbolic values.
487 }
490 }
492 // Is the RHS a symbol we can simplify?
497 // The symbol evaluates to a constant.
501 }
502 }
503 }
508 resultTy);
509 }
512 }
513 }
514 }
515 }
517 // FIXME: all this logic will change if/when we have MemRegion::getLocation().
521 QualType resultTy) {
522 // Only comparisons and subtractions are valid operations on two pointers.
523 // See [C99 6.5.5 through 6.5.14] or [C++0x 5.6 through 5.15].
524 // However, if a pointer is casted to an integer, EvalBinOpNN may end up
525 // calling this function with another operation (PR7527). We don't attempt to
526 // model this for now, but it could be useful, particularly when the
527 // "location" is actually an integer value that's been passed through a void*.
531 // Special cases for when both sides are identical.
547 }
548 }
556 // The only thing we know about labels is that they're non-null.
571 }
572 }
573 // There may be two labels for the same location, and a function region may
574 // have the same address as a label at the start of the function (depending
575 // on the ABI).
576 // FIXME: we can probably do a comparison against other MemRegions, though.
577 // FIXME: is there a way to tell if two labels refer to the same location?
581 // If one of the operands is a symbol and the other is a constant,
582 // build an expression for use by the constraint manager.
584 // We can only build expressions with symbols on the left,
585 // so we need a reversible operator.
591 }
593 // If both operands are constants, just perform the operation.
599 else
601 }
603 // Special case comparisons against NULL.
604 // This must come after the test if the RHS is a symbol, which is used to
605 // build constraints. The address of any non-symbolic region is guaranteed
606 // to be non-NULL, as is any label.
620 }
621 }
623 // Comparing an arbitrary integer to a region or label address is
624 // completely unknowable.
626 }
629 // If one of the operands is a symbol and the other is a constant,
630 // build an expression for use by the constraint manager.
634 // Special case comparisons to NULL.
635 // This must come after the test if the LHS is a symbol, which is used to
636 // build constraints. The address of any non-symbolic region is guaranteed
637 // to be non-NULL.
652 }
653 }
655 // Comparing a region to an arbitrary integer is completely unknowable.
657 }
659 // Get both values as regions, if possible.
665 // The RHS is probably a label, which in theory could address a region.
666 // FIXME: we can probably make a more useful statement about non-code
667 // regions, though.
670 // If both values wrap regions, see if they're from different base regions.
682 }
683 }
685 // The two regions are from the same base region. See if they're both a
686 // type of region we know how to compare.
688 // FIXME: If/when there is a getAsRawOffset() for FieldRegions, this
689 // ElementRegion path and the FieldRegion path below should be unified.
691 // First see if the right region is also an ElementRegion.
696 // Next, see if the two ERs have the same super-region and matching types.
697 // FIXME: This should do something useful even if the types don't match,
698 // though if both indexes are constant the RegionRawOffset path will
699 // give the correct answer.
702 // Get the left index and cast it to the correct type.
703 // If the index is unknown or undefined, bail out here.
713 // Do the same for the right index.
723 // Actually perform the operation.
724 // EvalBinOpNN expects the two indexes to already be the right type.
726 }
728 // If the element indexes aren't comparable, see if the raw offsets are.
752 }
753 }
755 // If we get here, we have no way of comparing the ElementRegions.
757 }
759 // See if both regions are fields of the same structure.
760 // FIXME: This doesn't handle nesting, inheritance, or Objective-C ivars.
762 // Only comparisons are meaningful here!
766 // First see if the right region is also a FieldRegion.
771 // Next, see if the two FRs have the same super-region.
772 // FIXME: This doesn't handle casts yet, and simply stripping the casts
773 // doesn't help.
781 // Make sure the two FRs are from the same kind of record. Just in case!
782 // FIXME: This is probably where inheritance would be a problem.
786 // We know for sure that the two fields are not the same, since that
787 // would have given us the same SVal.
793 // Iterate through the fields and see which one comes first.
794 // [C99 6.7.2.1.13] "Within a structure object, the non-bit-field
795 // members and the units in which bit-fields reside have addresses that
796 // increase in the order in which they are declared."
804 }
807 }
809 // If we get here, we have no way of comparing the regions.
811 }
812 }
813 }
818 // Special case: 'rhs' is an integer that has the same width as a pointer and
819 // we are using the integer location in a comparison. Normally this cannot be
820 // triggered, but transfer functions like those for OSCommpareAndSwapBarrier32
821 // can generate comparisons that trigger this code.
822 // FIXME: Are all locations guaranteed to have pointer width?
828 // Convert the signedness of the integer (if necessary).
833 }
834 }
835 }
837 // We are dealing with pointer arithmetic.
839 // Handle pointer arithmetic on constant values.
846 // Convert the bitwidth of rightI. This should deal with overflow
847 // since we are dealing with concrete values.
850 // Offset the increment by the pointer size.
854 // Compute the adjusted pointer.
864 }
866 }
867 }
870 // Delegate remaining pointer arithmetic to the StoreManager.
873 }
876 SVal V) {
889 // FIXME: Add support for SymExprs.
891 }