aboutsummaryrefslogtreecommitdiff
path: root/lib/Analysis/Store.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'lib/Analysis/Store.cpp')
-rw-r--r--lib/Analysis/Store.cpp143
1 files changed, 96 insertions, 47 deletions
diff --git a/lib/Analysis/Store.cpp b/lib/Analysis/Store.cpp
index 68bb49cbe3..bfcb0f41ca 100644
--- a/lib/Analysis/Store.cpp
+++ b/lib/Analysis/Store.cpp
@@ -22,17 +22,15 @@ StoreManager::StoreManager(GRStateManager &stateMgr)
StoreManager::CastResult
StoreManager::MakeElementRegion(const GRState *state, const MemRegion *region,
- QualType pointeeTy, QualType castToTy) {
-
- // Record the cast type of the region.
- state = setCastType(state, region, castToTy);
-
- // Create a new ElementRegion at offset 0.
- SVal idx = ValMgr.makeZeroArrayIndex();
+ QualType pointeeTy, QualType castToTy,
+ uint64_t index) {
+ // Create a new ElementRegion.
+ SVal idx = ValMgr.makeArrayIndex(index);
return CastResult(state, MRMgr.getElementRegion(pointeeTy, idx, region,
ValMgr.getContext()));
}
+// FIXME: Merge with the implementation of the same method in MemRegion.cpp
static bool IsCompleteType(ASTContext &Ctx, QualType Ty) {
if (const RecordType *RT = Ty->getAs<RecordType>()) {
const RecordDecl *D = RT->getDecl();
@@ -49,15 +47,10 @@ StoreManager::CastRegion(const GRState *state, const MemRegion* R,
ASTContext& Ctx = StateMgr.getContext();
- // We need to know the real type of CastToTy.
- QualType ToTy = Ctx.getCanonicalType(CastToTy);
-
// Handle casts to Objective-C objects.
- if (CastToTy->isObjCObjectPointerType()) {
- state = setCastType(state, R, CastToTy);
- return CastResult(state, R);
- }
-
+ if (CastToTy->isObjCObjectPointerType())
+ return CastResult(state, R->getBaseRegion());
+
if (CastToTy->isBlockPointerType()) {
if (isa<CodeTextRegion>(R))
return CastResult(state, R);
@@ -79,6 +72,15 @@ StoreManager::CastRegion(const GRState *state, const MemRegion* R,
// already be handled.
QualType PointeeTy = CastToTy->getAs<PointerType>()->getPointeeType();
+ // Handle casts from compatible types or to void*.
+ if (R->isBoundable())
+ if (const TypedRegion *TR = dyn_cast<TypedRegion>(R)) {
+ QualType ObjTy = Ctx.getCanonicalType(TR->getValueType(Ctx));
+ QualType CanonPointeeTy = Ctx.getCanonicalType(PointeeTy);
+ if (CanonPointeeTy == ObjTy || CanonPointeeTy == Ctx.VoidTy)
+ return CastResult(state, R);
+ }
+
// Process region cast according to the kind of the region being cast.
switch (R->getKind()) {
case MemRegion::BEG_TYPED_REGIONS:
@@ -88,8 +90,7 @@ StoreManager::CastRegion(const GRState *state, const MemRegion* R,
case MemRegion::END_TYPED_REGIONS: {
assert(0 && "Invalid region cast");
break;
- }
-
+ }
case MemRegion::CodeTextRegionKind: {
// CodeTextRegion should be cast to only a function or block pointer type,
// although they can in practice be casted to anything, e.g, void*,
@@ -99,46 +100,94 @@ StoreManager::CastRegion(const GRState *state, const MemRegion* R,
}
case MemRegion::StringRegionKind:
- // Handle casts of string literals.
- return MakeElementRegion(state, R, PointeeTy, CastToTy);
-
case MemRegion::ObjCObjectRegionKind:
- case MemRegion::SymbolicRegionKind:
// FIXME: Need to handle arbitrary downcasts.
- case MemRegion::AllocaRegionKind: {
- state = setCastType(state, R, CastToTy);
- break;
- }
-
+ case MemRegion::SymbolicRegionKind:
+ case MemRegion::AllocaRegionKind:
case MemRegion::CompoundLiteralRegionKind:
- case MemRegion::ElementRegionKind:
case MemRegion::FieldRegionKind:
case MemRegion::ObjCIvarRegionKind:
- case MemRegion::VarRegionKind: {
- // VarRegion, ElementRegion, and FieldRegion has an inherent type.
- // Normally they should not be cast. We only layer an ElementRegion when
- // the cast-to pointee type is of smaller size. In other cases, we return
- // the original VarRegion.
+ case MemRegion::VarRegionKind:
+ return MakeElementRegion(state, R, PointeeTy, CastToTy);
+
+ case MemRegion::ElementRegionKind: {
+ // If we are casting from an ElementRegion to another type, the
+ // algorithm is as follows:
+ //
+ // (1) Compute the "raw offset" of the ElementRegion from the
+ // base region. This is done by calling 'getAsRawOffset()'.
+ //
+ // (2a) If we get a 'RegionRawOffset' after calling
+ // 'getAsRawOffset()', determine if the absolute offset
+ // can be exactly divided into chunks of the size of the
+ // casted-pointee type. If so, create a new ElementRegion with
+ // the pointee-cast type as the new ElementType and the index
+ // being the offset divded by the chunk size. If not, create
+ // a new ElementRegion at offset 0 off the raw offset region.
+ //
+ // (2b) If we don't a get a 'RegionRawOffset' after calling
+ // 'getAsRawOffset()', it means that we are at offset 0.
+ //
+ // FIXME: Handle symbolic raw offsets.
- // If the pointee or object type is incomplete, do not compute their
- // sizes, and return the original region.
- QualType ObjTy = cast<TypedRegion>(R)->getValueType(Ctx);
+ const ElementRegion *elementR = cast<ElementRegion>(R);
+ const RegionRawOffset &rawOff = elementR->getAsRawOffset();
+ const MemRegion *baseR = rawOff.getRegion();
- if (!IsCompleteType(Ctx, PointeeTy) || !IsCompleteType(Ctx, ObjTy)) {
- state = setCastType(state, R, ToTy);
- break;
+ // If we cannot compute a raw offset, throw up our hands and return
+ // a NULL MemRegion*.
+ if (!baseR)
+ return CastResult(state, NULL);
+
+ int64_t off = rawOff.getByteOffset();
+
+ if (off == 0) {
+ // Edge case: we are at 0 bytes off the beginning of baseR. We
+ // check to see if type we are casting to is the same as the base
+ // region. If so, just return the base region.
+ if (const TypedRegion *TR = dyn_cast<TypedRegion>(baseR)) {
+ QualType ObjTy = Ctx.getCanonicalType(TR->getValueType(Ctx));
+ QualType CanonPointeeTy = Ctx.getCanonicalType(PointeeTy);
+ if (CanonPointeeTy == ObjTy)
+ return CastResult(state, baseR);
+ }
+
+ // Otherwise, create a new ElementRegion at offset 0.
+ return MakeElementRegion(state, baseR, PointeeTy, CastToTy, 0);
}
+
+ // We have a non-zero offset from the base region. We want to determine
+ // if the offset can be evenly divided by sizeof(PointeeTy). If so,
+ // we create an ElementRegion whose index is that value. Otherwise, we
+ // create two ElementRegions, one that reflects a raw offset and the other
+ // that reflects the cast.
+
+ // Compute the index for the new ElementRegion.
+ int64_t newIndex = 0;
+ const MemRegion *newSuperR = 0;
- uint64_t PointeeTySize = Ctx.getTypeSize(PointeeTy);
- uint64_t ObjTySize = Ctx.getTypeSize(ObjTy);
+ // We can only compute sizeof(PointeeTy) if it is a complete type.
+ if (IsCompleteType(Ctx, PointeeTy)) {
+ // Compute the size in **bytes**.
+ int64_t pointeeTySize = (int64_t) (Ctx.getTypeSize(PointeeTy) / 8);
+
+ // Is the offset a multiple of the size? If so, we can layer the
+ // ElementRegion (with elementType == PointeeTy) directly on top of
+ // the base region.
+ if (off % pointeeTySize == 0) {
+ newIndex = off / pointeeTySize;
+ newSuperR = baseR;
+ }
+ }
- if ((PointeeTySize > 0 && PointeeTySize < ObjTySize) ||
- (ObjTy->isAggregateType() && PointeeTy->isScalarType()) ||
- ObjTySize == 0 /* R has 'void*' type. */)
- return MakeElementRegion(state, R, PointeeTy, ToTy);
-
- state = setCastType(state, R, ToTy);
- break;
+ if (!newSuperR) {
+ // Create an intermediate ElementRegion to represent the raw byte.
+ // This will be the super region of the final ElementRegion.
+ SVal idx = ValMgr.makeArrayIndex(off);
+ newSuperR = MRMgr.getElementRegion(Ctx.CharTy, idx, baseR, Ctx);
+ }
+
+ return MakeElementRegion(state, newSuperR, PointeeTy, CastToTy, newIndex);
}
}
generated by cgit v1.2.3-18-g5258 (git 2.32.0) at 2025-05-03 04:33:55 +0000