Bug Summary

File:clang/lib/StaticAnalyzer/Core/SValBuilder.cpp
Warning:line 470, column 10
Called C++ object pointer is null

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name SValBuilder.cpp -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=cplusplus -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -analyzer-config-compatibility-mode=true -mrelocation-model pic -pic-level 2 -mframe-pointer=none -relaxed-aliasing -fmath-errno -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -ffunction-sections -fdata-sections -fcoverage-compilation-dir=/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/build-llvm/tools/clang/lib/StaticAnalyzer/Core -resource-dir /usr/lib/llvm-14/lib/clang/14.0.0 -D CLANG_ROUND_TRIP_CC1_ARGS=ON -D _DEBUG -D _GNU_SOURCE -D __STDC_CONSTANT_MACROS -D __STDC_FORMAT_MACROS -D __STDC_LIMIT_MACROS -I /build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/build-llvm/tools/clang/lib/StaticAnalyzer/Core -I /build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core -I /build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/include -I /build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/build-llvm/tools/clang/include -I /build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/build-llvm/include -I /build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/llvm/include -D NDEBUG -U NDEBUG -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/x86_64-linux-gnu/c++/10 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/backward -internal-isystem /usr/lib/llvm-14/lib/clang/14.0.0/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O2 -Wno-unused-parameter -Wwrite-strings -Wno-missing-field-initializers -Wno-long-long -Wno-maybe-uninitialized -Wno-class-memaccess -Wno-redundant-move -Wno-pessimizing-move -Wno-noexcept-type -Wno-comment -std=c++14 -fdeprecated-macro -fdebug-compilation-dir=/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/build-llvm/tools/clang/lib/StaticAnalyzer/Core -fdebug-prefix-map=/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0=. -ferror-limit 19 -fvisibility-inlines-hidden -stack-protector 2 -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -analyzer-output=html -analyzer-config stable-report-filename=true -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2021-08-28-193554-24367-1 -x c++ /build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp
1//===- SValBuilder.cpp - Basic class for all SValBuilder implementations --===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines SValBuilder, the base class for all (complete) SValBuilder
10// implementations.
11//
12//===----------------------------------------------------------------------===//
13
14#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
15#include "clang/AST/ASTContext.h"
16#include "clang/AST/Decl.h"
17#include "clang/AST/DeclCXX.h"
18#include "clang/AST/ExprCXX.h"
19#include "clang/AST/ExprObjC.h"
20#include "clang/AST/Stmt.h"
21#include "clang/AST/Type.h"
22#include "clang/Basic/LLVM.h"
23#include "clang/Analysis/AnalysisDeclContext.h"
24#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
25#include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h"
26#include "clang/StaticAnalyzer/Core/PathSensitive/BasicValueFactory.h"
27#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
28#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
29#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
30#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
31#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
32#include "clang/StaticAnalyzer/Core/PathSensitive/Store.h"
33#include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
34#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
35#include "llvm/ADT/APSInt.h"
36#include "llvm/ADT/None.h"
37#include "llvm/ADT/Optional.h"
38#include "llvm/Support/Casting.h"
39#include "llvm/Support/Compiler.h"
40#include <cassert>
41#include <tuple>
42
43using namespace clang;
44using namespace ento;
45
46//===----------------------------------------------------------------------===//
47// Basic SVal creation.
48//===----------------------------------------------------------------------===//
49
50void SValBuilder::anchor() {}
51
52DefinedOrUnknownSVal SValBuilder::makeZeroVal(QualType type) {
53 if (Loc::isLocType(type))
54 return makeNull();
55
56 if (type->isIntegralOrEnumerationType())
57 return makeIntVal(0, type);
58
59 if (type->isArrayType() || type->isRecordType() || type->isVectorType() ||
60 type->isAnyComplexType())
61 return makeCompoundVal(type, BasicVals.getEmptySValList());
62
63 // FIXME: Handle floats.
64 return UnknownVal();
65}
66
67NonLoc SValBuilder::makeNonLoc(const SymExpr *lhs, BinaryOperator::Opcode op,
68 const llvm::APSInt& rhs, QualType type) {
69 // The Environment ensures we always get a persistent APSInt in
70 // BasicValueFactory, so we don't need to get the APSInt from
71 // BasicValueFactory again.
72 assert(lhs)(static_cast <bool> (lhs) ? void (0) : __assert_fail ("lhs"
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 72, __extension__ __PRETTY_FUNCTION__));
73 assert(!Loc::isLocType(type))(static_cast <bool> (!Loc::isLocType(type)) ? void (0) :
__assert_fail ("!Loc::isLocType(type)", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 73, __extension__ __PRETTY_FUNCTION__));
74 return nonloc::SymbolVal(SymMgr.getSymIntExpr(lhs, op, rhs, type));
75}
76
77NonLoc SValBuilder::makeNonLoc(const llvm::APSInt& lhs,
78 BinaryOperator::Opcode op, const SymExpr *rhs,
79 QualType type) {
80 assert(rhs)(static_cast <bool> (rhs) ? void (0) : __assert_fail ("rhs"
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 80, __extension__ __PRETTY_FUNCTION__));
81 assert(!Loc::isLocType(type))(static_cast <bool> (!Loc::isLocType(type)) ? void (0) :
__assert_fail ("!Loc::isLocType(type)", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 81, __extension__ __PRETTY_FUNCTION__));
82 return nonloc::SymbolVal(SymMgr.getIntSymExpr(lhs, op, rhs, type));
83}
84
85NonLoc SValBuilder::makeNonLoc(const SymExpr *lhs, BinaryOperator::Opcode op,
86 const SymExpr *rhs, QualType type) {
87 assert(lhs && rhs)(static_cast <bool> (lhs && rhs) ? void (0) : __assert_fail
("lhs && rhs", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 87, __extension__ __PRETTY_FUNCTION__));
88 assert(!Loc::isLocType(type))(static_cast <bool> (!Loc::isLocType(type)) ? void (0) :
__assert_fail ("!Loc::isLocType(type)", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 88, __extension__ __PRETTY_FUNCTION__));
89 return nonloc::SymbolVal(SymMgr.getSymSymExpr(lhs, op, rhs, type));
90}
91
92NonLoc SValBuilder::makeNonLoc(const SymExpr *operand,
93 QualType fromTy, QualType toTy) {
94 assert(operand)(static_cast <bool> (operand) ? void (0) : __assert_fail
("operand", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 94, __extension__ __PRETTY_FUNCTION__));
95 assert(!Loc::isLocType(toTy))(static_cast <bool> (!Loc::isLocType(toTy)) ? void (0) :
__assert_fail ("!Loc::isLocType(toTy)", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 95, __extension__ __PRETTY_FUNCTION__));
96 return nonloc::SymbolVal(SymMgr.getCastSymbol(operand, fromTy, toTy));
97}
98
99SVal SValBuilder::convertToArrayIndex(SVal val) {
100 if (val.isUnknownOrUndef())
101 return val;
102
103 // Common case: we have an appropriately sized integer.
104 if (Optional<nonloc::ConcreteInt> CI = val.getAs<nonloc::ConcreteInt>()) {
105 const llvm::APSInt& I = CI->getValue();
106 if (I.getBitWidth() == ArrayIndexWidth && I.isSigned())
107 return val;
108 }
109
110 return evalCast(val, ArrayIndexTy, QualType{});
111}
112
113nonloc::ConcreteInt SValBuilder::makeBoolVal(const CXXBoolLiteralExpr *boolean){
114 return makeTruthVal(boolean->getValue());
115}
116
117DefinedOrUnknownSVal
118SValBuilder::getRegionValueSymbolVal(const TypedValueRegion *region) {
119 QualType T = region->getValueType();
120
121 if (T->isNullPtrType())
122 return makeZeroVal(T);
123
124 if (!SymbolManager::canSymbolicate(T))
125 return UnknownVal();
126
127 SymbolRef sym = SymMgr.getRegionValueSymbol(region);
128
129 if (Loc::isLocType(T))
130 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
131
132 return nonloc::SymbolVal(sym);
133}
134
135DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const void *SymbolTag,
136 const Expr *Ex,
137 const LocationContext *LCtx,
138 unsigned Count) {
139 QualType T = Ex->getType();
140
141 if (T->isNullPtrType())
142 return makeZeroVal(T);
143
144 // Compute the type of the result. If the expression is not an R-value, the
145 // result should be a location.
146 QualType ExType = Ex->getType();
147 if (Ex->isGLValue())
148 T = LCtx->getAnalysisDeclContext()->getASTContext().getPointerType(ExType);
149
150 return conjureSymbolVal(SymbolTag, Ex, LCtx, T, Count);
151}
152
153DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const void *symbolTag,
154 const Expr *expr,
155 const LocationContext *LCtx,
156 QualType type,
157 unsigned count) {
158 if (type->isNullPtrType())
159 return makeZeroVal(type);
160
161 if (!SymbolManager::canSymbolicate(type))
162 return UnknownVal();
163
164 SymbolRef sym = SymMgr.conjureSymbol(expr, LCtx, type, count, symbolTag);
165
166 if (Loc::isLocType(type))
167 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
168
169 return nonloc::SymbolVal(sym);
170}
171
172DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const Stmt *stmt,
173 const LocationContext *LCtx,
174 QualType type,
175 unsigned visitCount) {
176 if (type->isNullPtrType())
177 return makeZeroVal(type);
178
179 if (!SymbolManager::canSymbolicate(type))
180 return UnknownVal();
181
182 SymbolRef sym = SymMgr.conjureSymbol(stmt, LCtx, type, visitCount);
183
184 if (Loc::isLocType(type))
185 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
186
187 return nonloc::SymbolVal(sym);
188}
189
190DefinedOrUnknownSVal
191SValBuilder::getConjuredHeapSymbolVal(const Expr *E,
192 const LocationContext *LCtx,
193 unsigned VisitCount) {
194 QualType T = E->getType();
195 return getConjuredHeapSymbolVal(E, LCtx, T, VisitCount);
196}
197
198DefinedOrUnknownSVal
199SValBuilder::getConjuredHeapSymbolVal(const Expr *E,
200 const LocationContext *LCtx,
201 QualType type, unsigned VisitCount) {
202 assert(Loc::isLocType(type))(static_cast <bool> (Loc::isLocType(type)) ? void (0) :
__assert_fail ("Loc::isLocType(type)", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 202, __extension__ __PRETTY_FUNCTION__));
203 assert(SymbolManager::canSymbolicate(type))(static_cast <bool> (SymbolManager::canSymbolicate(type
)) ? void (0) : __assert_fail ("SymbolManager::canSymbolicate(type)"
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 203, __extension__ __PRETTY_FUNCTION__));
204 if (type->isNullPtrType())
205 return makeZeroVal(type);
206
207 SymbolRef sym = SymMgr.conjureSymbol(E, LCtx, type, VisitCount);
208 return loc::MemRegionVal(MemMgr.getSymbolicHeapRegion(sym));
209}
210
211DefinedSVal SValBuilder::getMetadataSymbolVal(const void *symbolTag,
212 const MemRegion *region,
213 const Expr *expr, QualType type,
214 const LocationContext *LCtx,
215 unsigned count) {
216 assert(SymbolManager::canSymbolicate(type) && "Invalid metadata symbol type")(static_cast <bool> (SymbolManager::canSymbolicate(type
) && "Invalid metadata symbol type") ? void (0) : __assert_fail
("SymbolManager::canSymbolicate(type) && \"Invalid metadata symbol type\""
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 216, __extension__ __PRETTY_FUNCTION__));
217
218 SymbolRef sym =
219 SymMgr.getMetadataSymbol(region, expr, type, LCtx, count, symbolTag);
220
221 if (Loc::isLocType(type))
222 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
223
224 return nonloc::SymbolVal(sym);
225}
226
227DefinedOrUnknownSVal
228SValBuilder::getDerivedRegionValueSymbolVal(SymbolRef parentSymbol,
229 const TypedValueRegion *region) {
230 QualType T = region->getValueType();
231
232 if (T->isNullPtrType())
233 return makeZeroVal(T);
234
235 if (!SymbolManager::canSymbolicate(T))
236 return UnknownVal();
237
238 SymbolRef sym = SymMgr.getDerivedSymbol(parentSymbol, region);
239
240 if (Loc::isLocType(T))
241 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
242
243 return nonloc::SymbolVal(sym);
244}
245
246DefinedSVal SValBuilder::getMemberPointer(const NamedDecl *ND) {
247 assert(!ND || isa<CXXMethodDecl>(ND) || isa<FieldDecl>(ND) ||(static_cast <bool> (!ND || isa<CXXMethodDecl>(ND
) || isa<FieldDecl>(ND) || isa<IndirectFieldDecl>
(ND)) ? void (0) : __assert_fail ("!ND || isa<CXXMethodDecl>(ND) || isa<FieldDecl>(ND) || isa<IndirectFieldDecl>(ND)"
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 248, __extension__ __PRETTY_FUNCTION__))
248 isa<IndirectFieldDecl>(ND))(static_cast <bool> (!ND || isa<CXXMethodDecl>(ND
) || isa<FieldDecl>(ND) || isa<IndirectFieldDecl>
(ND)) ? void (0) : __assert_fail ("!ND || isa<CXXMethodDecl>(ND) || isa<FieldDecl>(ND) || isa<IndirectFieldDecl>(ND)"
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 248, __extension__ __PRETTY_FUNCTION__));
249
250 if (const auto *MD = dyn_cast_or_null<CXXMethodDecl>(ND)) {
251 // Sema treats pointers to static member functions as have function pointer
252 // type, so return a function pointer for the method.
253 // We don't need to play a similar trick for static member fields
254 // because these are represented as plain VarDecls and not FieldDecls
255 // in the AST.
256 if (MD->isStatic())
257 return getFunctionPointer(MD);
258 }
259
260 return nonloc::PointerToMember(ND);
261}
262
263DefinedSVal SValBuilder::getFunctionPointer(const FunctionDecl *func) {
264 return loc::MemRegionVal(MemMgr.getFunctionCodeRegion(func));
265}
266
267DefinedSVal SValBuilder::getBlockPointer(const BlockDecl *block,
268 CanQualType locTy,
269 const LocationContext *locContext,
270 unsigned blockCount) {
271 const BlockCodeRegion *BC =
272 MemMgr.getBlockCodeRegion(block, locTy, locContext->getAnalysisDeclContext());
273 const BlockDataRegion *BD = MemMgr.getBlockDataRegion(BC, locContext,
274 blockCount);
275 return loc::MemRegionVal(BD);
276}
277
278Optional<loc::MemRegionVal>
279SValBuilder::getCastedMemRegionVal(const MemRegion *R, QualType Ty) {
280 if (auto OptR = StateMgr.getStoreManager().castRegion(R, Ty))
281 return loc::MemRegionVal(*OptR);
282 return None;
283}
284
285/// Return a memory region for the 'this' object reference.
286loc::MemRegionVal SValBuilder::getCXXThis(const CXXMethodDecl *D,
287 const StackFrameContext *SFC) {
288 return loc::MemRegionVal(
289 getRegionManager().getCXXThisRegion(D->getThisType(), SFC));
290}
291
292/// Return a memory region for the 'this' object reference.
293loc::MemRegionVal SValBuilder::getCXXThis(const CXXRecordDecl *D,
294 const StackFrameContext *SFC) {
295 const Type *T = D->getTypeForDecl();
296 QualType PT = getContext().getPointerType(QualType(T, 0));
297 return loc::MemRegionVal(getRegionManager().getCXXThisRegion(PT, SFC));
298}
299
300Optional<SVal> SValBuilder::getConstantVal(const Expr *E) {
301 E = E->IgnoreParens();
302
303 switch (E->getStmtClass()) {
304 // Handle expressions that we treat differently from the AST's constant
305 // evaluator.
306 case Stmt::AddrLabelExprClass:
307 return makeLoc(cast<AddrLabelExpr>(E));
308
309 case Stmt::CXXScalarValueInitExprClass:
310 case Stmt::ImplicitValueInitExprClass:
311 return makeZeroVal(E->getType());
312
313 case Stmt::ObjCStringLiteralClass: {
314 const auto *SL = cast<ObjCStringLiteral>(E);
315 return makeLoc(getRegionManager().getObjCStringRegion(SL));
316 }
317
318 case Stmt::StringLiteralClass: {
319 const auto *SL = cast<StringLiteral>(E);
320 return makeLoc(getRegionManager().getStringRegion(SL));
321 }
322
323 case Stmt::PredefinedExprClass: {
324 const auto *PE = cast<PredefinedExpr>(E);
325 assert(PE->getFunctionName() &&(static_cast <bool> (PE->getFunctionName() &&
"Since we analyze only instantiated functions, PredefinedExpr "
"should have a function name.") ? void (0) : __assert_fail (
"PE->getFunctionName() && \"Since we analyze only instantiated functions, PredefinedExpr \" \"should have a function name.\""
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 327, __extension__ __PRETTY_FUNCTION__))
326 "Since we analyze only instantiated functions, PredefinedExpr "(static_cast <bool> (PE->getFunctionName() &&
"Since we analyze only instantiated functions, PredefinedExpr "
"should have a function name.") ? void (0) : __assert_fail (
"PE->getFunctionName() && \"Since we analyze only instantiated functions, PredefinedExpr \" \"should have a function name.\""
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 327, __extension__ __PRETTY_FUNCTION__))
327 "should have a function name.")(static_cast <bool> (PE->getFunctionName() &&
"Since we analyze only instantiated functions, PredefinedExpr "
"should have a function name.") ? void (0) : __assert_fail (
"PE->getFunctionName() && \"Since we analyze only instantiated functions, PredefinedExpr \" \"should have a function name.\""
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 327, __extension__ __PRETTY_FUNCTION__));
328 return makeLoc(getRegionManager().getStringRegion(PE->getFunctionName()));
329 }
330
331 // Fast-path some expressions to avoid the overhead of going through the AST's
332 // constant evaluator
333 case Stmt::CharacterLiteralClass: {
334 const auto *C = cast<CharacterLiteral>(E);
335 return makeIntVal(C->getValue(), C->getType());
336 }
337
338 case Stmt::CXXBoolLiteralExprClass:
339 return makeBoolVal(cast<CXXBoolLiteralExpr>(E));
340
341 case Stmt::TypeTraitExprClass: {
342 const auto *TE = cast<TypeTraitExpr>(E);
343 return makeTruthVal(TE->getValue(), TE->getType());
344 }
345
346 case Stmt::IntegerLiteralClass:
347 return makeIntVal(cast<IntegerLiteral>(E));
348
349 case Stmt::ObjCBoolLiteralExprClass:
350 return makeBoolVal(cast<ObjCBoolLiteralExpr>(E));
351
352 case Stmt::CXXNullPtrLiteralExprClass:
353 return makeNull();
354
355 case Stmt::CStyleCastExprClass:
356 case Stmt::CXXFunctionalCastExprClass:
357 case Stmt::CXXConstCastExprClass:
358 case Stmt::CXXReinterpretCastExprClass:
359 case Stmt::CXXStaticCastExprClass:
360 case Stmt::ImplicitCastExprClass: {
361 const auto *CE = cast<CastExpr>(E);
362 switch (CE->getCastKind()) {
363 default:
364 break;
365 case CK_ArrayToPointerDecay:
366 case CK_IntegralToPointer:
367 case CK_NoOp:
368 case CK_BitCast: {
369 const Expr *SE = CE->getSubExpr();
370 Optional<SVal> Val = getConstantVal(SE);
371 if (!Val)
372 return None;
373 return evalCast(*Val, CE->getType(), SE->getType());
374 }
375 }
376 // FALLTHROUGH
377 LLVM_FALLTHROUGH[[gnu::fallthrough]];
378 }
379
380 // If we don't have a special case, fall back to the AST's constant evaluator.
381 default: {
382 // Don't try to come up with a value for materialized temporaries.
383 if (E->isGLValue())
384 return None;
385
386 ASTContext &Ctx = getContext();
387 Expr::EvalResult Result;
388 if (E->EvaluateAsInt(Result, Ctx))
389 return makeIntVal(Result.Val.getInt());
390
391 if (Loc::isLocType(E->getType()))
392 if (E->isNullPointerConstant(Ctx, Expr::NPC_ValueDependentIsNotNull))
393 return makeNull();
394
395 return None;
396 }
397 }
398}
399
400SVal SValBuilder::makeSymExprValNN(BinaryOperator::Opcode Op,
401 NonLoc LHS, NonLoc RHS,
402 QualType ResultTy) {
403 SymbolRef symLHS = LHS.getAsSymbol();
404 SymbolRef symRHS = RHS.getAsSymbol();
405
406 // TODO: When the Max Complexity is reached, we should conjure a symbol
407 // instead of generating an Unknown value and propagate the taint info to it.
408 const unsigned MaxComp = StateMgr.getOwningEngine()
409 .getAnalysisManager()
410 .options.MaxSymbolComplexity;
411
412 if (symLHS && symRHS &&
413 (symLHS->computeComplexity() + symRHS->computeComplexity()) < MaxComp)
414 return makeNonLoc(symLHS, Op, symRHS, ResultTy);
415
416 if (symLHS && symLHS->computeComplexity() < MaxComp)
417 if (Optional<nonloc::ConcreteInt> rInt = RHS.getAs<nonloc::ConcreteInt>())
418 return makeNonLoc(symLHS, Op, rInt->getValue(), ResultTy);
419
420 if (symRHS && symRHS->computeComplexity() < MaxComp)
421 if (Optional<nonloc::ConcreteInt> lInt = LHS.getAs<nonloc::ConcreteInt>())
422 return makeNonLoc(lInt->getValue(), Op, symRHS, ResultTy);
423
424 return UnknownVal();
425}
426
427SVal SValBuilder::evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op,
428 SVal lhs, SVal rhs, QualType type) {
429 if (lhs.isUndef() || rhs.isUndef())
430 return UndefinedVal();
431
432 if (lhs.isUnknown() || rhs.isUnknown())
433 return UnknownVal();
434
435 if (lhs.getAs<nonloc::LazyCompoundVal>() ||
436 rhs.getAs<nonloc::LazyCompoundVal>()) {
437 return UnknownVal();
438 }
439
440 if (op == BinaryOperatorKind::BO_Cmp) {
441 // We can't reason about C++20 spaceship operator yet.
442 //
443 // FIXME: Support C++20 spaceship operator.
444 // The main problem here is that the result is not integer.
445 return UnknownVal();
446 }
447
448 if (Optional<Loc> LV = lhs.getAs<Loc>()) {
449 if (Optional<Loc> RV = rhs.getAs<Loc>())
450 return evalBinOpLL(state, op, *LV, *RV, type);
451
452 return evalBinOpLN(state, op, *LV, rhs.castAs<NonLoc>(), type);
453 }
454
455 if (Optional<Loc> RV = rhs.getAs<Loc>()) {
456 // Support pointer arithmetic where the addend is on the left
457 // and the pointer on the right.
458 assert(op == BO_Add)(static_cast <bool> (op == BO_Add) ? void (0) : __assert_fail
("op == BO_Add", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 458, __extension__ __PRETTY_FUNCTION__));
459
460 // Commute the operands.
461 return evalBinOpLN(state, op, *RV, lhs.castAs<NonLoc>(), type);
462 }
463
464 return evalBinOpNN(state, op, lhs.castAs<NonLoc>(), rhs.castAs<NonLoc>(),
465 type);
466}
467
468ConditionTruthVal SValBuilder::areEqual(ProgramStateRef state, SVal lhs,
469 SVal rhs) {
470 return state->isNonNull(evalEQ(state, lhs, rhs));
Called C++ object pointer is null
471}
472
473SVal SValBuilder::evalEQ(ProgramStateRef state, SVal lhs, SVal rhs) {
474 return evalBinOp(state, BO_EQ, lhs, rhs, getConditionType());
475}
476
477DefinedOrUnknownSVal SValBuilder::evalEQ(ProgramStateRef state,
478 DefinedOrUnknownSVal lhs,
479 DefinedOrUnknownSVal rhs) {
480 return evalEQ(state, static_cast<SVal>(lhs), static_cast<SVal>(rhs))
481 .castAs<DefinedOrUnknownSVal>();
482}
483
484/// Recursively check if the pointer types are equal modulo const, volatile,
485/// and restrict qualifiers. Also, assume that all types are similar to 'void'.
486/// Assumes the input types are canonical.
487static bool shouldBeModeledWithNoOp(ASTContext &Context, QualType ToTy,
488 QualType FromTy) {
489 while (Context.UnwrapSimilarTypes(ToTy, FromTy)) {
490 Qualifiers Quals1, Quals2;
491 ToTy = Context.getUnqualifiedArrayType(ToTy, Quals1);
492 FromTy = Context.getUnqualifiedArrayType(FromTy, Quals2);
493
494 // Make sure that non-cvr-qualifiers the other qualifiers (e.g., address
495 // spaces) are identical.
496 Quals1.removeCVRQualifiers();
497 Quals2.removeCVRQualifiers();
498 if (Quals1 != Quals2)
499 return false;
500 }
501
502 // If we are casting to void, the 'From' value can be used to represent the
503 // 'To' value.
504 //
505 // FIXME: Doing this after unwrapping the types doesn't make any sense. A
506 // cast from 'int**' to 'void**' is not special in the way that a cast from
507 // 'int*' to 'void*' is.
508 if (ToTy->isVoidType())
509 return true;
510
511 if (ToTy != FromTy)
512 return false;
513
514 return true;
515}
516
517// Handles casts of type CK_IntegralCast.
518// At the moment, this function will redirect to evalCast, except when the range
519// of the original value is known to be greater than the max of the target type.
520SVal SValBuilder::evalIntegralCast(ProgramStateRef state, SVal val,
521 QualType castTy, QualType originalTy) {
522 // No truncations if target type is big enough.
523 if (getContext().getTypeSize(castTy) >= getContext().getTypeSize(originalTy))
524 return evalCast(val, castTy, originalTy);
525
526 SymbolRef se = val.getAsSymbol();
527 if (!se) // Let evalCast handle non symbolic expressions.
528 return evalCast(val, castTy, originalTy);
529
530 // Find the maximum value of the target type.
531 APSIntType ToType(getContext().getTypeSize(castTy),
532 castTy->isUnsignedIntegerType());
533 llvm::APSInt ToTypeMax = ToType.getMaxValue();
534 NonLoc ToTypeMaxVal =
535 makeIntVal(ToTypeMax.isUnsigned() ? ToTypeMax.getZExtValue()
536 : ToTypeMax.getSExtValue(),
537 castTy)
538 .castAs<NonLoc>();
539 // Check the range of the symbol being casted against the maximum value of the
540 // target type.
541 NonLoc FromVal = val.castAs<NonLoc>();
542 QualType CmpTy = getConditionType();
543 NonLoc CompVal =
544 evalBinOpNN(state, BO_LE, FromVal, ToTypeMaxVal, CmpTy).castAs<NonLoc>();
545 ProgramStateRef IsNotTruncated, IsTruncated;
546 std::tie(IsNotTruncated, IsTruncated) = state->assume(CompVal);
547 if (!IsNotTruncated && IsTruncated) {
548 // Symbol is truncated so we evaluate it as a cast.
549 NonLoc CastVal = makeNonLoc(se, originalTy, castTy);
550 return CastVal;
551 }
552 return evalCast(val, castTy, originalTy);
553}
554
555//===----------------------------------------------------------------------===//
556// Cast methods.
557// `evalCast` is the main method
558// `evalCastKind` and `evalCastSubKind` are helpers
559//===----------------------------------------------------------------------===//
560
561/// Cast a given SVal to another SVal using given QualType's.
562/// \param V -- SVal that should be casted.
563/// \param CastTy -- QualType that V should be casted according to.
564/// \param OriginalTy -- QualType which is associated to V. It provides
565/// additional information about what type the cast performs from.
566/// \returns the most appropriate casted SVal.
567/// Note: Many cases don't use an exact OriginalTy. It can be extracted
568/// from SVal or the cast can performs unconditionaly. Always pass OriginalTy!
569/// It can be crucial in certain cases and generates different results.
570/// FIXME: If `OriginalTy.isNull()` is true, then cast performs based on CastTy
571/// only. This behavior is uncertain and should be improved.
572SVal SValBuilder::evalCast(SVal V, QualType CastTy, QualType OriginalTy) {
573 if (CastTy.isNull())
574 return V;
575
576 CastTy = Context.getCanonicalType(CastTy);
577
578 const bool IsUnknownOriginalType = OriginalTy.isNull();
579 if (!IsUnknownOriginalType) {
580 OriginalTy = Context.getCanonicalType(OriginalTy);
581
582 if (CastTy == OriginalTy)
583 return V;
584
585 // FIXME: Move this check to the most appropriate
586 // evalCastKind/evalCastSubKind function. For const casts, casts to void,
587 // just propagate the value.
588 if (!CastTy->isVariableArrayType() && !OriginalTy->isVariableArrayType())
589 if (shouldBeModeledWithNoOp(Context, Context.getPointerType(CastTy),
590 Context.getPointerType(OriginalTy)))
591 return V;
592 }
593
594 // Cast SVal according to kinds.
595 switch (V.getBaseKind()) {
596 case SVal::UndefinedValKind:
597 return evalCastKind(V.castAs<UndefinedVal>(), CastTy, OriginalTy);
598 case SVal::UnknownValKind:
599 return evalCastKind(V.castAs<UnknownVal>(), CastTy, OriginalTy);
600 case SVal::LocKind:
601 return evalCastKind(V.castAs<Loc>(), CastTy, OriginalTy);
602 case SVal::NonLocKind:
603 return evalCastKind(V.castAs<NonLoc>(), CastTy, OriginalTy);
604 }
605
606 llvm_unreachable("Unknown SVal kind")::llvm::llvm_unreachable_internal("Unknown SVal kind", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 606);
607}
608
609SVal SValBuilder::evalCastKind(UndefinedVal V, QualType CastTy,
610 QualType OriginalTy) {
611 return V;
612}
613
614SVal SValBuilder::evalCastKind(UnknownVal V, QualType CastTy,
615 QualType OriginalTy) {
616 return V;
617}
618
619SVal SValBuilder::evalCastKind(Loc V, QualType CastTy, QualType OriginalTy) {
620 switch (V.getSubKind()) {
621 case loc::ConcreteIntKind:
622 return evalCastSubKind(V.castAs<loc::ConcreteInt>(), CastTy, OriginalTy);
623 case loc::GotoLabelKind:
624 return evalCastSubKind(V.castAs<loc::GotoLabel>(), CastTy, OriginalTy);
625 case loc::MemRegionValKind:
626 return evalCastSubKind(V.castAs<loc::MemRegionVal>(), CastTy, OriginalTy);
627 }
628
629 llvm_unreachable("Unknown SVal kind")::llvm::llvm_unreachable_internal("Unknown SVal kind", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 629);
630}
631
632SVal SValBuilder::evalCastKind(NonLoc V, QualType CastTy, QualType OriginalTy) {
633 switch (V.getSubKind()) {
634 case nonloc::CompoundValKind:
635 return evalCastSubKind(V.castAs<nonloc::CompoundVal>(), CastTy, OriginalTy);
636 case nonloc::ConcreteIntKind:
637 return evalCastSubKind(V.castAs<nonloc::ConcreteInt>(), CastTy, OriginalTy);
638 case nonloc::LazyCompoundValKind:
639 return evalCastSubKind(V.castAs<nonloc::LazyCompoundVal>(), CastTy,
640 OriginalTy);
641 case nonloc::LocAsIntegerKind:
642 return evalCastSubKind(V.castAs<nonloc::LocAsInteger>(), CastTy,
643 OriginalTy);
644 case nonloc::SymbolValKind:
645 return evalCastSubKind(V.castAs<nonloc::SymbolVal>(), CastTy, OriginalTy);
646 case nonloc::PointerToMemberKind:
647 return evalCastSubKind(V.castAs<nonloc::PointerToMember>(), CastTy,
648 OriginalTy);
649 }
650
651 llvm_unreachable("Unknown SVal kind")::llvm::llvm_unreachable_internal("Unknown SVal kind", "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 651);
652}
653
654SVal SValBuilder::evalCastSubKind(loc::ConcreteInt V, QualType CastTy,
655 QualType OriginalTy) {
656 // Pointer to bool.
657 if (CastTy->isBooleanType())
658 return makeTruthVal(V.getValue().getBoolValue(), CastTy);
659
660 // Pointer to integer.
661 if (CastTy->isIntegralOrEnumerationType()) {
662 llvm::APSInt Value = V.getValue();
663 BasicVals.getAPSIntType(CastTy).apply(Value);
664 return makeIntVal(Value);
665 }
666
667 // Pointer to any pointer.
668 if (Loc::isLocType(CastTy))
669 return V;
670
671 // Pointer to whatever else.
672 return UnknownVal();
673}
674
675SVal SValBuilder::evalCastSubKind(loc::GotoLabel V, QualType CastTy,
676 QualType OriginalTy) {
677 // Pointer to bool.
678 if (CastTy->isBooleanType())
679 // Labels are always true.
680 return makeTruthVal(true, CastTy);
681
682 // Pointer to integer.
683 if (CastTy->isIntegralOrEnumerationType()) {
684 const unsigned BitWidth = Context.getIntWidth(CastTy);
685 return makeLocAsInteger(V, BitWidth);
686 }
687
688 const bool IsUnknownOriginalType = OriginalTy.isNull();
689 if (!IsUnknownOriginalType) {
690 // Array to pointer.
691 if (isa<ArrayType>(OriginalTy))
692 if (CastTy->isPointerType() || CastTy->isReferenceType())
693 return UnknownVal();
694 }
695
696 // Pointer to any pointer.
697 if (Loc::isLocType(CastTy))
698 return V;
699
700 // Pointer to whatever else.
701 return UnknownVal();
702}
703
704static bool hasSameUnqualifiedPointeeType(QualType ty1, QualType ty2) {
705 return ty1->getPointeeType().getCanonicalType().getTypePtr() ==
706 ty2->getPointeeType().getCanonicalType().getTypePtr();
707}
708
709SVal SValBuilder::evalCastSubKind(loc::MemRegionVal V, QualType CastTy,
710 QualType OriginalTy) {
711 // Pointer to bool.
712 if (CastTy->isBooleanType()) {
713 const MemRegion *R = V.getRegion();
714 if (const FunctionCodeRegion *FTR = dyn_cast<FunctionCodeRegion>(R))
715 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(FTR->getDecl()))
716 if (FD->isWeak())
717 // FIXME: Currently we are using an extent symbol here,
718 // because there are no generic region address metadata
719 // symbols to use, only content metadata.
720 return nonloc::SymbolVal(SymMgr.getExtentSymbol(FTR));
721
722 if (const SymbolicRegion *SymR = R->getSymbolicBase()) {
723 SymbolRef Sym = SymR->getSymbol();
724 QualType Ty = Sym->getType();
725 // This change is needed for architectures with varying
726 // pointer widths. See the amdgcn opencl reproducer with
727 // this change as an example: solver-sym-simplification-ptr-bool.cl
728 // FIXME: Cleanup remainder of `getZeroWithPtrWidth ()`
729 // and `getIntWithPtrWidth()` functions to prevent future
730 // confusion
731 if (!Ty->isReferenceType())
732 return makeNonLoc(Sym, BO_NE, BasicVals.getZeroWithTypeSize(Ty),
733 CastTy);
734 }
735 // Non-symbolic memory regions are always true.
736 return makeTruthVal(true, CastTy);
737 }
738
739 const bool IsUnknownOriginalType = OriginalTy.isNull();
740 // Try to cast to array
741 const auto *ArrayTy =
742 IsUnknownOriginalType
743 ? nullptr
744 : dyn_cast<ArrayType>(OriginalTy.getCanonicalType());
745
746 // Pointer to integer.
747 if (CastTy->isIntegralOrEnumerationType()) {
748 SVal Val = V;
749 // Array to integer.
750 if (ArrayTy) {
751 // We will always decay to a pointer.
752 QualType ElemTy = ArrayTy->getElementType();
753 Val = StateMgr.ArrayToPointer(V, ElemTy);
754 // FIXME: Keep these here for now in case we decide soon that we
755 // need the original decayed type.
756 // QualType elemTy = cast<ArrayType>(originalTy)->getElementType();
757 // QualType pointerTy = C.getPointerType(elemTy);
758 }
759 const unsigned BitWidth = Context.getIntWidth(CastTy);
760 return makeLocAsInteger(Val.castAs<Loc>(), BitWidth);
761 }
762
763 // Pointer to pointer.
764 if (Loc::isLocType(CastTy)) {
765
766 if (IsUnknownOriginalType) {
767 // When retrieving symbolic pointer and expecting a non-void pointer,
768 // wrap them into element regions of the expected type if necessary.
769 // It is necessary to make sure that the retrieved value makes sense,
770 // because there's no other cast in the AST that would tell us to cast
771 // it to the correct pointer type. We might need to do that for non-void
772 // pointers as well.
773 // FIXME: We really need a single good function to perform casts for us
774 // correctly every time we need it.
775 const MemRegion *R = V.getRegion();
776 if (CastTy->isPointerType() && !CastTy->isVoidPointerType()) {
777 if (const auto *SR = dyn_cast<SymbolicRegion>(R)) {
778 QualType SRTy = SR->getSymbol()->getType();
779 if (!hasSameUnqualifiedPointeeType(SRTy, CastTy)) {
780 if (auto OptMemRegV = getCastedMemRegionVal(SR, CastTy))
781 return *OptMemRegV;
782 }
783 }
784 }
785 // Next fixes pointer dereference using type different from its initial
786 // one. See PR37503 and PR49007 for details.
787 if (const auto *ER = dyn_cast<ElementRegion>(R)) {
788 if (auto OptMemRegV = getCastedMemRegionVal(ER, CastTy))
789 return *OptMemRegV;
790 }
791
792 return V;
793 }
794
795 if (OriginalTy->isIntegralOrEnumerationType() ||
796 OriginalTy->isBlockPointerType() || OriginalTy->isFunctionPointerType())
797 return V;
798
799 // Array to pointer.
800 if (ArrayTy) {
801 // Are we casting from an array to a pointer? If so just pass on
802 // the decayed value.
803 if (CastTy->isPointerType() || CastTy->isReferenceType()) {
804 // We will always decay to a pointer.
805 QualType ElemTy = ArrayTy->getElementType();
806 return StateMgr.ArrayToPointer(V, ElemTy);
807 }
808 // Are we casting from an array to an integer? If so, cast the decayed
809 // pointer value to an integer.
810 assert(CastTy->isIntegralOrEnumerationType())(static_cast <bool> (CastTy->isIntegralOrEnumerationType
()) ? void (0) : __assert_fail ("CastTy->isIntegralOrEnumerationType()"
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 810, __extension__ __PRETTY_FUNCTION__));
811 }
812
813 // Other pointer to pointer.
814 assert(Loc::isLocType(OriginalTy) || OriginalTy->isFunctionType() ||(static_cast <bool> (Loc::isLocType(OriginalTy) || OriginalTy
->isFunctionType() || CastTy->isReferenceType()) ? void
(0) : __assert_fail ("Loc::isLocType(OriginalTy) || OriginalTy->isFunctionType() || CastTy->isReferenceType()"
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 815, __extension__ __PRETTY_FUNCTION__))
815 CastTy->isReferenceType())(static_cast <bool> (Loc::isLocType(OriginalTy) || OriginalTy
->isFunctionType() || CastTy->isReferenceType()) ? void
(0) : __assert_fail ("Loc::isLocType(OriginalTy) || OriginalTy->isFunctionType() || CastTy->isReferenceType()"
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 815, __extension__ __PRETTY_FUNCTION__));
816
817 // We get a symbolic function pointer for a dereference of a function
818 // pointer, but it is of function type. Example:
819
820 // struct FPRec {
821 // void (*my_func)(int * x);
822 // };
823 //
824 // int bar(int x);
825 //
826 // int f1_a(struct FPRec* foo) {
827 // int x;
828 // (*foo->my_func)(&x);
829 // return bar(x)+1; // no-warning
830 // }
831
832 // Get the result of casting a region to a different type.
833 const MemRegion *R = V.getRegion();
834 if (auto OptMemRegV = getCastedMemRegionVal(R, CastTy))
835 return *OptMemRegV;
836 }
837
838 // Pointer to whatever else.
839 // FIXME: There can be gross cases where one casts the result of a
840 // function (that returns a pointer) to some other value that happens to
841 // fit within that pointer value. We currently have no good way to model
842 // such operations. When this happens, the underlying operation is that
843 // the caller is reasoning about bits. Conceptually we are layering a
844 // "view" of a location on top of those bits. Perhaps we need to be more
845 // lazy about mutual possible views, even on an SVal? This may be
846 // necessary for bit-level reasoning as well.
847 return UnknownVal();
848}
849
850SVal SValBuilder::evalCastSubKind(nonloc::CompoundVal V, QualType CastTy,
851 QualType OriginalTy) {
852 // Compound to whatever.
853 return UnknownVal();
854}
855
856SVal SValBuilder::evalCastSubKind(nonloc::ConcreteInt V, QualType CastTy,
857 QualType OriginalTy) {
858 auto CastedValue = [V, CastTy, this]() {
859 llvm::APSInt Value = V.getValue();
860 BasicVals.getAPSIntType(CastTy).apply(Value);
861 return Value;
862 };
863
864 // Integer to bool.
865 if (CastTy->isBooleanType())
866 return makeTruthVal(V.getValue().getBoolValue(), CastTy);
867
868 // Integer to pointer.
869 if (CastTy->isIntegralOrEnumerationType())
870 return makeIntVal(CastedValue());
871
872 // Integer to pointer.
873 if (Loc::isLocType(CastTy))
874 return makeIntLocVal(CastedValue());
875
876 // Pointer to whatever else.
877 return UnknownVal();
878}
879
880SVal SValBuilder::evalCastSubKind(nonloc::LazyCompoundVal V, QualType CastTy,
881 QualType OriginalTy) {
882 // Compound to whatever.
883 return UnknownVal();
884}
885
886SVal SValBuilder::evalCastSubKind(nonloc::LocAsInteger V, QualType CastTy,
887 QualType OriginalTy) {
888 Loc L = V.getLoc();
889
890 // Pointer as integer to bool.
891 if (CastTy->isBooleanType())
892 // Pass to Loc function.
893 return evalCastKind(L, CastTy, OriginalTy);
894
895 const bool IsUnknownOriginalType = OriginalTy.isNull();
896 // Pointer as integer to pointer.
897 if (!IsUnknownOriginalType && Loc::isLocType(CastTy) &&
898 OriginalTy->isIntegralOrEnumerationType()) {
899 if (const MemRegion *R = L.getAsRegion())
900 if (auto OptMemRegV = getCastedMemRegionVal(R, CastTy))
901 return *OptMemRegV;
902 return L;
903 }
904
905 // Pointer as integer with region to integer/pointer.
906 const MemRegion *R = L.getAsRegion();
907 if (!IsUnknownOriginalType && R) {
908 if (CastTy->isIntegralOrEnumerationType())
909 return evalCastSubKind(loc::MemRegionVal(R), CastTy, OriginalTy);
910
911 if (Loc::isLocType(CastTy)) {
912 assert(Loc::isLocType(OriginalTy) || OriginalTy->isFunctionType() ||(static_cast <bool> (Loc::isLocType(OriginalTy) || OriginalTy
->isFunctionType() || CastTy->isReferenceType()) ? void
(0) : __assert_fail ("Loc::isLocType(OriginalTy) || OriginalTy->isFunctionType() || CastTy->isReferenceType()"
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 913, __extension__ __PRETTY_FUNCTION__))
913 CastTy->isReferenceType())(static_cast <bool> (Loc::isLocType(OriginalTy) || OriginalTy
->isFunctionType() || CastTy->isReferenceType()) ? void
(0) : __assert_fail ("Loc::isLocType(OriginalTy) || OriginalTy->isFunctionType() || CastTy->isReferenceType()"
, "/build/llvm-toolchain-snapshot-14~++20210828111110+16086d47c0d0/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 913, __extension__ __PRETTY_FUNCTION__));
914 // Delegate to store manager to get the result of casting a region to a
915 // different type. If the MemRegion* returned is NULL, this expression
916 // Evaluates to UnknownVal.
917 if (auto OptMemRegV = getCastedMemRegionVal(R, CastTy))
918 return *OptMemRegV;
919 }
920 } else {
921 if (Loc::isLocType(CastTy)) {
922 if (IsUnknownOriginalType)
923 return evalCastSubKind(loc::MemRegionVal(R), CastTy, OriginalTy);
924 return L;
925 }
926
927 SymbolRef SE = nullptr;
928 if (R) {
929 if (const SymbolicRegion *SR =
930 dyn_cast<SymbolicRegion>(R->StripCasts())) {
931 SE = SR->getSymbol();
932 }
933 }
934
935 if (!CastTy->isFloatingType() || !SE || SE->getType()->isFloatingType()) {
936 // FIXME: Correctly support promotions/truncations.
937 const unsigned CastSize = Context.getIntWidth(CastTy);
938 if (CastSize == V.getNumBits())
939 return V;
940
941 return makeLocAsInteger(L, CastSize);
942 }
943 }
944
945 // Pointer as integer to whatever else.
946 return UnknownVal();
947}
948
949SVal SValBuilder::evalCastSubKind(nonloc::SymbolVal V, QualType CastTy,
950 QualType OriginalTy) {
951 SymbolRef SE = V.getSymbol();
952
953 const bool IsUnknownOriginalType = OriginalTy.isNull();
954 // Symbol to bool.
955 if (!IsUnknownOriginalType && CastTy->isBooleanType()) {
956 // Non-float to bool.
957 if (Loc::isLocType(OriginalTy) ||
958 OriginalTy->isIntegralOrEnumerationType() ||
959 OriginalTy->isMemberPointerType()) {
960 BasicValueFactory &BVF = getBasicValueFactory();
961 return makeNonLoc(SE, BO_NE, BVF.getValue(0, SE->getType()), CastTy);
962 }
963 } else {
964 // Symbol to integer, float.
965 QualType T = Context.getCanonicalType(SE->getType());
966 // If types are the same or both are integers, ignore the cast.
967 // FIXME: Remove this hack when we support symbolic truncation/extension.
968 // HACK: If both castTy and T are integers, ignore the cast. This is
969 // not a permanent solution. Eventually we want to precisely handle
970 // extension/truncation of symbolic integers. This prevents us from losing
971 // precision when we assign 'x = y' and 'y' is symbolic and x and y are
972 // different integer types.
973 if (haveSameType(T, CastTy))
974 return V;
975 if (!Loc::isLocType(CastTy))
976 if (!IsUnknownOriginalType || !CastTy->isFloatingType() ||
977 T->isFloatingType())
978 return makeNonLoc(SE, T, CastTy);
979 }
980
981 // Symbol to pointer and whatever else.
982 return UnknownVal();
983}
984
985SVal SValBuilder::evalCastSubKind(nonloc::PointerToMember V, QualType CastTy,
986 QualType OriginalTy) {
987 // Member pointer to whatever.
988 return V;
989}