[analyzer] Construct a SymExpr even when the constraint solver cannot

reason about the expression.

This essentially keeps more history about how symbolic values were
constructed. As an optimization, previous to this commit, we only kept
the history if one of the symbols was tainted, but it's valuable keep
the history around for other purposes as well: it allows us to avoid
constructing conjured symbols.

Specifically, we need to identify the value of ptr as
ElementRegion (result of pointer arithmetic) in the following code.
However, before this commit '(2-x)' evaluated to Unknown value, and as
the result, 'p + (2-x)' evaluated to Unknown value as well.

int *p = malloc(sizeof(int));
ptr = p + (2-x);

This change brings 2% slowdown on sqlite. Fixes radar://11329382.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@155944 91177308-0d34-0410-b5e6-96231b3b80d8

1 files changed, 17 insertions, 21 deletions

diff --git a/lib/StaticAnalyzer/Core/SValBuilder.cpp b/lib/StaticAnalyzer/Core/SValBuilder.cpp
index 9e97f5e7d1..c1217e1174 100644
--- a/lib/StaticAnalyzer/Core/SValBuilder.cpp
+++ b/lib/StaticAnalyzer/Core/SValBuilder.cpp
@@ -195,30 +195,26 @@ DefinedSVal SValBuilder::getBlockPointer(const BlockDecl *block,
 
 //===----------------------------------------------------------------------===//
 
-SVal SValBuilder::makeGenericVal(ProgramStateRef State,
-                                     BinaryOperator::Opcode Op,
-                                     NonLoc LHS, NonLoc RHS,
-                                     QualType ResultTy) {
-  // If operands are tainted, create a symbol to ensure that we propagate taint.
-  if (State->isTainted(RHS) || State->isTainted(LHS)) {
-    const SymExpr *symLHS;
-    const SymExpr *symRHS;
-
-    if (const nonloc::ConcreteInt *rInt = dyn_cast<nonloc::ConcreteInt>(&RHS)) {
-      symLHS = LHS.getAsSymExpr();
-      return makeNonLoc(symLHS, Op, rInt->getValue(), ResultTy);
-    }
-
-    if (const nonloc::ConcreteInt *lInt = dyn_cast<nonloc::ConcreteInt>(&LHS)) {
-      symRHS = RHS.getAsSymExpr();
-      return makeNonLoc(lInt->getValue(), Op, symRHS, ResultTy);
-    }
-
+SVal SValBuilder::makeSymExprValNN(ProgramStateRef State,
+                                 BinaryOperator::Opcode Op,
+                                 NonLoc LHS, NonLoc RHS,
+                                 QualType ResultTy) {
+  const SymExpr *symLHS;
+  const SymExpr *symRHS;
+
+  if (const nonloc::ConcreteInt *rInt = dyn_cast<nonloc::ConcreteInt>(&RHS)) {
     symLHS = LHS.getAsSymExpr();
+    return makeNonLoc(symLHS, Op, rInt->getValue(), ResultTy);
+  }
+
+  if (const nonloc::ConcreteInt *lInt = dyn_cast<nonloc::ConcreteInt>(&LHS)) {
     symRHS = RHS.getAsSymExpr();
-    return makeNonLoc(symLHS, Op, symRHS, ResultTy);
+    return makeNonLoc(lInt->getValue(), Op, symRHS, ResultTy);
   }
-  return UnknownVal();
+
+  symLHS = LHS.getAsSymExpr();
+  symRHS = RHS.getAsSymExpr();
+  return makeNonLoc(symLHS, Op, symRHS, ResultTy);
 }