diff options
| -rw-r--r-- | include/clang/Analysis/PathSensitive/GRExprEngine.h | 9 | ||||
| -rw-r--r-- | include/clang/Analysis/PathSensitive/Store.h | 6 | ||||
| -rw-r--r-- | lib/Analysis/GRExprEngine.cpp | 22 |
3 files changed, 36 insertions, 1 deletions
diff --git a/include/clang/Analysis/PathSensitive/GRExprEngine.h b/include/clang/Analysis/PathSensitive/GRExprEngine.h index 86853627ee..5339f6f3a2 100644 --- a/include/clang/Analysis/PathSensitive/GRExprEngine.h +++ b/include/clang/Analysis/PathSensitive/GRExprEngine.h @@ -455,6 +455,15 @@ protected: return StateMgr.Assume(St, Cond, Assumption, isFeasible); } + const GRState* AssumeInBound(const GRState* St, SVal Idx, SVal UpperBound, + bool Assumption, bool& isFeasible) { + // FIXME: In this function, we will check if Idx can be in/out + // [0, UpperBound) according to the assumption. We can extend the + // interface to include a LowerBound parameter. + isFeasible = true; + return St; + } + NodeTy* MakeNode(NodeSet& Dst, Stmt* S, NodeTy* Pred, const GRState* St, ProgramPoint::Kind K = ProgramPoint::PostStmtKind) { assert (Builder && "GRStmtNodeBuilder not present."); diff --git a/include/clang/Analysis/PathSensitive/Store.h b/include/clang/Analysis/PathSensitive/Store.h index c4e21f2b19..7b6bf1e1d2 100644 --- a/include/clang/Analysis/PathSensitive/Store.h +++ b/include/clang/Analysis/PathSensitive/Store.h @@ -72,7 +72,11 @@ public: const FieldDecl* D) = 0; virtual SVal getLValueElement(const GRState* St, SVal Base, SVal Offset) = 0; - + + virtual SVal getSizeInElements(const GRState* St, const MemRegion* R) { + return UnknownVal(); + } + /// ArrayToPointer - Used by GRExprEngine::VistCast to handle implicit /// conversions between arrays and pointers. virtual SVal ArrayToPointer(SVal Array) = 0; diff --git a/lib/Analysis/GRExprEngine.cpp b/lib/Analysis/GRExprEngine.cpp index e2c23b4942..8f8a143863 100644 --- a/lib/Analysis/GRExprEngine.cpp +++ b/lib/Analysis/GRExprEngine.cpp @@ -1067,6 +1067,28 @@ const GRState* GRExprEngine::EvalLocation(Expr* Ex, NodeTy* Pred, else ExplicitNullDeref.insert(NullNode); } } + + // Check for out-of-bound array access. + if (isFeasibleNotNull && isa<loc::MemRegionVal>(LV)) { + const MemRegion* R = cast<loc::MemRegionVal>(LV).getRegion(); + if (const ElementRegion* ER = dyn_cast<ElementRegion>(R)) { + // Get the index of the accessed element. + SVal Idx = ER->getIndex(); + // Get the extent of the array. + SVal NumElements = StateMgr.getStoreManager().getSizeInElements(StNotNull, + ER->getSuperRegion()); + + bool isFeasibleInBound = false; + const GRState* StInBound = AssumeInBound(StNotNull, Idx, NumElements, + true, isFeasibleInBound); + + bool isFeasibleOutBound = false; + const GRState* StOutBound = AssumeInBound(StNotNull, Idx, NumElements, + false, isFeasibleOutBound); + + // Report warnings ... + } + } return isFeasibleNotNull ? StNotNull : NULL; } |