[analyzer] Do not conjure a symbol when we need to propagate taint.

When the solver and SValBuilder cannot reason about symbolic expressions (ex: (x+1)*y ), the analyzer conjures a new symbol with no ties to the past. This helps it to recover some path-sensitivity. However, this breaks the taint propagation. With this commit, we are going to construct the expression even if we cannot reason about it later on if an operand is tainted. Also added some comments and asserts. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@144932 91177308-0d34-0410-b5e6-96231b3b80d8
author: Anna Zaks <ganna@apple.com> 2011-11-17 23:07:28 +0000
committer: Anna Zaks <ganna@apple.com> 2011-11-17 23:07:28 +0000
commit: 0d339d06f8721d14befd6311bd306ac485772188 (patch)
tree: 11347faffcd3c67ff414093e0a0b8a8ae3b19996 /lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
parent: d3b74d9ca4f239a7a90ad193378c494306c57352 (diff)
1 files changed, 7 insertions, 7 deletions
diff --git a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
index bd63ecf775..f7924319e5 100644
--- a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
+++ b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
@@ -298,7 +298,7 @@ SVal SimpleSValBuilder::evalBinOpNN(const ProgramState *state,
   while (1) {
     switch (lhs.getSubKind()) {
     default:
-      return UnknownVal();
+      return generateUnknownVal(state, op, lhs, rhs, resultTy);
     case nonloc::LocAsIntegerKind: {
       Loc lhsL = cast<nonloc::LocAsInteger>(lhs).getLoc();
       switch (rhs.getSubKind()) {
@@ -321,7 +321,7 @@ SVal SimpleSValBuilder::evalBinOpNN(const ProgramState *state,
               return makeTruthVal(true, resultTy);
             default:
               // This case also handles pointer arithmetic.
-              return UnknownVal();
+              return generateUnknownVal(state, op, lhs, rhs, resultTy);
           }
       }
     }
@@ -333,7 +333,7 @@ SVal SimpleSValBuilder::evalBinOpNN(const ProgramState *state,
         dyn_cast<SymIntExpr>(selhs->getSymbolicExpression());
 
       if (!symIntExpr)
-        return UnknownVal();
+        return generateUnknownVal(state, op, lhs, rhs, resultTy);
 
       // Is this a logical not? (!x is represented as x == 0.)
       if (op == BO_EQ && rhs.isZeroConstant()) {
@@ -381,7 +381,7 @@ SVal SimpleSValBuilder::evalBinOpNN(const ProgramState *state,
       // For now, only handle expressions whose RHS is a constant.
       const nonloc::ConcreteInt *rhsInt = dyn_cast<nonloc::ConcreteInt>(&rhs);
       if (!rhsInt)
-        return UnknownVal();
+        return generateUnknownVal(state, op, lhs, rhs, resultTy);
 
       // If both the LHS and the current expression are additive,
       // fold their constants.
@@ -467,9 +467,9 @@ SVal SimpleSValBuilder::evalBinOpNN(const ProgramState *state,
             if (lhsValue == 0)
               // At this point lhs and rhs have been swapped.
               return rhs;
-            return UnknownVal();
+            return generateUnknownVal(state, op, lhs, rhs, resultTy);
           default:
-            return UnknownVal();
+            return generateUnknownVal(state, op, lhs, rhs, resultTy);
         }
       }
     }
@@ -529,7 +529,7 @@ SVal SimpleSValBuilder::evalBinOpNN(const ProgramState *state,
                              resultTy);
       }
 
-      return UnknownVal();
+      return generateUnknownVal(state, op, lhs, rhs, resultTy);
     }
     }
   }
author	Anna Zaks <ganna@apple.com>	2011-11-17 23:07:28 +0000
committer	Anna Zaks <ganna@apple.com>	2011-11-17 23:07:28 +0000
commit	0d339d06f8721d14befd6311bd306ac485772188 (patch)
tree	11347faffcd3c67ff414093e0a0b8a8ae3b19996 /lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
parent	d3b74d9ca4f239a7a90ad193378c494306c57352 (diff)