| blob | 6c65da4635be5a164b79073d3f8640abc4cc56c3 |
1 // SimpleSValBuilder.cpp - A basic SValBuilder -----------------------*- C++ -*-
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file defines SimpleSValBuilder, a basic implementation of SValBuilder.
11 //
12 //===----------------------------------------------------------------------===//
41 /// getKnownValue - evaluates a given SVal. If the SVal has only one possible
42 /// (integer) value, that value is returned. Otherwise, returns NULL.
47 };
54 }
56 //===----------------------------------------------------------------------===//
57 // Transfer function for Casts.
58 //===----------------------------------------------------------------------===//
68 // FIXME: Correctly support promotions/truncations.
73 }
80 // FIXME: Remove this hack when we support symbolic truncation/extension.
81 // HACK: If both castTy and T are integers, ignore the cast. This is
82 // not a permanent solution. Eventually we want to precisely handle
83 // extension/truncation of symbolic integers. This prevents us from losing
84 // precision when we assign 'x = y' and 'y' is symbolic and x and y are
85 // different integer types.
90 }
95 // Only handle casts from integers to integers.
105 else
107 }
111 // Casts from pointers -> pointers, just return the lval.
112 //
113 // Casts from pointers -> references, just return the lval. These
114 // can be introduced by the frontend for corner cases, e.g
115 // casting from va_list* to __builtin_va_list&.
116 //
120 // FIXME: Handle transparent unions where a value can be "transparently"
121 // lifted into a union type.
135 }
137 // All other cases: return 'UnknownVal'. This includes casting pointers
138 // to floats, which is probably badness it itself, but this is a good
139 // intermediate solution until we do something better.
141 }
143 //===----------------------------------------------------------------------===//
144 // Transfer function for unary operators.
145 //===----------------------------------------------------------------------===//
153 }
154 }
162 }
163 }
165 //===----------------------------------------------------------------------===//
166 // Transfer function for binary operators.
167 //===----------------------------------------------------------------------===//
179 }
180 }
193 }
194 }
199 QualType resultTy) {
202 // Check for a few special cases with known reductions first.
205 // We can't reduce this case; just treat it normally.
208 // a*0 and a*1
215 // a/0 and a/1
217 // This is also handled elsewhere.
223 // a%0 and a%1
225 // This is also handled elsewhere.
235 // a+0, a-0, a<<0, a>>0, a^0
240 // a&0 and a&(~0)
247 // a|0 and a|(~0)
253 }
255 }
257 // Idempotent ops (like a*1) can still change the type of an expression.
258 // Wrap the LHS up in a NonLoc again and let evalCastNL do the dirty work.
263 }
265 // If we reach this point, the expression cannot be simplified.
266 // Make a SymExprVal for the entire thing.
268 }
273 QualType resultTy) {
274 // Handle trivial case where left-side and right-side are the same.
293 }
305 resultTy);
307 // Transform the integer into a location and compare.
312 }
320 // This case also handles pointer arithmetic.
322 }
323 }
324 }
328 // Only handle LHS of the form "$sym op constant", at least for now.
335 // Is this a logical not? (!x is represented as x == 0.)
337 // We know how to negate certain expressions. Simplify them here.
342 // We don't know how to negate this operation.
343 // Just handle it as if it were a normal comparison to 0.
373 // Negate the comparison and make a value.
378 }
379 }
381 // For now, only handle expressions whose RHS is a constant.
386 // If both the LHS and the current expression are additive,
387 // fold their constants.
391 // resultTy may not be the best type to convert to, but it's
392 // probably the best choice in expressions with mixed type
393 // (such as x+1U+2LL). The rules for implicit conversions should
394 // choose a reasonable type to preserve the expression, and will
395 // at least match how the value is going to be used.
403 else
406 }
407 }
409 // Otherwise, make a SymExprVal out of the expression.
411 }
420 // Swap the left and right sides and flip the operator if doing so
421 // allows us to better reason about the expression (this is a form
422 // of expression canonicalization).
423 // While we're at it, catch some special cases for non-commutative ops.
445 // At this point lhs and rhs have been swapped.
447 // FALL-THROUGH
450 // At this point lhs and rhs have been swapped.
455 }
456 }
457 }
461 // Does the symbol simplify to a constant? If so, "fold" the constant
462 // by setting 'lhs' to a ConcreteInt and try again.
465 // The symbol evaluates to a constant. If necessary, promote the
466 // folded constant (LHS) to the result type.
470 // Also promote the RHS (if necessary).
472 // For shifts, it is not necessary to promote the RHS.
476 // Other operators: do an implicit conversion. This shouldn't be
477 // necessary once we support truncation/extension of symbolic values.
481 }
484 }
486 // Is the RHS a symbol we can simplify?
491 // The symbol evaluates to a constant.
494 }
495 }
496 }
501 resultTy);
502 }
505 }
506 }
507 }
508 }
510 // FIXME: all this logic will change if/when we have MemRegion::getLocation().
514 QualType resultTy) {
515 // Only comparisons and subtractions are valid operations on two pointers.
516 // See [C99 6.5.5 through 6.5.14] or [C++0x 5.6 through 5.15].
517 // However, if a pointer is casted to an integer, evalBinOpNN may end up
518 // calling this function with another operation (PR7527). We don't attempt to
519 // model this for now, but it could be useful, particularly when the
520 // "location" is actually an integer value that's been passed through a void*.
524 // Special cases for when both sides are identical.
540 }
541 }
549 // The only thing we know about labels is that they're non-null.
564 }
565 }
566 // There may be two labels for the same location, and a function region may
567 // have the same address as a label at the start of the function (depending
568 // on the ABI).
569 // FIXME: we can probably do a comparison against other MemRegions, though.
570 // FIXME: is there a way to tell if two labels refer to the same location?
574 // If one of the operands is a symbol and the other is a constant,
575 // build an expression for use by the constraint manager.
577 // We can only build expressions with symbols on the left,
578 // so we need a reversible operator.
584 }
586 // If both operands are constants, just perform the operation.
592 else
594 }
596 // Special case comparisons against NULL.
597 // This must come after the test if the RHS is a symbol, which is used to
598 // build constraints. The address of any non-symbolic region is guaranteed
599 // to be non-NULL, as is any label.
613 }
614 }
616 // Comparing an arbitrary integer to a region or label address is
617 // completely unknowable.
619 }
622 // If one of the operands is a symbol and the other is a constant,
623 // build an expression for use by the constraint manager.
627 // Special case comparisons to NULL.
628 // This must come after the test if the LHS is a symbol, which is used to
629 // build constraints. The address of any non-symbolic region is guaranteed
630 // to be non-NULL.
645 }
646 }
648 // Comparing a region to an arbitrary integer is completely unknowable.
650 }
652 // Get both values as regions, if possible.
658 // The RHS is probably a label, which in theory could address a region.
659 // FIXME: we can probably make a more useful statement about non-code
660 // regions, though.
663 // If both values wrap regions, see if they're from different base regions.
675 }
676 }
678 // The two regions are from the same base region. See if they're both a
679 // type of region we know how to compare.
681 // FIXME: If/when there is a getAsRawOffset() for FieldRegions, this
682 // ElementRegion path and the FieldRegion path below should be unified.
684 // First see if the right region is also an ElementRegion.
689 // Next, see if the two ERs have the same super-region and matching types.
690 // FIXME: This should do something useful even if the types don't match,
691 // though if both indexes are constant the RegionRawOffset path will
692 // give the correct answer.
695 // Get the left index and cast it to the correct type.
696 // If the index is unknown or undefined, bail out here.
706 // Do the same for the right index.
716 // Actually perform the operation.
717 // evalBinOpNN expects the two indexes to already be the right type.
719 }
721 // If the element indexes aren't comparable, see if the raw offsets are.
745 }
746 }
748 // If we get here, we have no way of comparing the ElementRegions.
750 }
752 // See if both regions are fields of the same structure.
753 // FIXME: This doesn't handle nesting, inheritance, or Objective-C ivars.
755 // Only comparisons are meaningful here!
759 // First see if the right region is also a FieldRegion.
764 // Next, see if the two FRs have the same super-region.
765 // FIXME: This doesn't handle casts yet, and simply stripping the casts
766 // doesn't help.
774 // Make sure the two FRs are from the same kind of record. Just in case!
775 // FIXME: This is probably where inheritance would be a problem.
779 // We know for sure that the two fields are not the same, since that
780 // would have given us the same SVal.
786 // Iterate through the fields and see which one comes first.
787 // [C99 6.7.2.1.13] "Within a structure object, the non-bit-field
788 // members and the units in which bit-fields reside have addresses that
789 // increase in the order in which they are declared."
797 }
800 }
802 // If we get here, we have no way of comparing the regions.
804 }
805 }
806 }
812 // Special case: rhs is a zero constant.
816 // Special case: 'rhs' is an integer that has the same width as a pointer and
817 // we are using the integer location in a comparison. Normally this cannot be
818 // triggered, but transfer functions like those for OSCommpareAndSwapBarrier32
819 // can generate comparisons that trigger this code.
820 // FIXME: Are all locations guaranteed to have pointer width?
826 // Convert the signedness of the integer (if necessary).
831 }
832 }
833 }
835 // We are dealing with pointer arithmetic.
837 // Handle pointer arithmetic on constant values.
844 // Convert the bitwidth of rightI. This should deal with overflow
845 // since we are dealing with concrete values.
848 // Offset the increment by the pointer size.
852 // Compute the adjusted pointer.
862 }
864 }
865 }
867 // Handle cases where 'lhs' is a region.
872 QualType elementType;
879 }
885 }
890 }
891 }
896 }
897 }
899 }
902 SVal V) {
915 // FIXME: Add support for SymExprs.
917 }