Bug Summary

File:build/source/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp
Warning:line 538, column 10
Called C++ object pointer is null

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name SValBuilder.cpp -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=cplusplus -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -analyzer-config-compatibility-mode=true -mrelocation-model pic -pic-level 2 -mframe-pointer=none -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -ffunction-sections -fdata-sections -fcoverage-compilation-dir=/build/source/build-llvm -resource-dir /usr/lib/llvm-17/lib/clang/17 -I tools/clang/lib/StaticAnalyzer/Core -I /build/source/clang/lib/StaticAnalyzer/Core -I /build/source/clang/include -I tools/clang/include -I include -I /build/source/llvm/include -D _DEBUG -D _GLIBCXX_ASSERTIONS -D _GNU_SOURCE -D _LIBCPP_ENABLE_ASSERTIONS -D __STDC_CONSTANT_MACROS -D __STDC_FORMAT_MACROS -D __STDC_LIMIT_MACROS -D _FORTIFY_SOURCE=2 -D NDEBUG -U NDEBUG -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/x86_64-linux-gnu/c++/10 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/backward -internal-isystem /usr/lib/llvm-17/lib/clang/17/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/build/source/build-llvm=build-llvm -fmacro-prefix-map=/build/source/= -fcoverage-prefix-map=/build/source/build-llvm=build-llvm -fcoverage-prefix-map=/build/source/= -O3 -Wno-unused-command-line-argument -Wno-unused-parameter -Wwrite-strings -Wno-missing-field-initializers -Wno-long-long -Wno-maybe-uninitialized -Wno-class-memaccess -Wno-redundant-move -Wno-pessimizing-move -Wno-noexcept-type -Wno-comment -Wno-misleading-indentation -std=c++17 -fdeprecated-macro -fdebug-compilation-dir=/build/source/build-llvm -fdebug-prefix-map=/build/source/build-llvm=build-llvm -fdebug-prefix-map=/build/source/= -fdebug-prefix-map=/build/source/build-llvm=build-llvm -fdebug-prefix-map=/build/source/= -ferror-limit 19 -fvisibility-inlines-hidden -stack-protector 2 -fgnuc-version=4.2.1 -fcolor-diagnostics -vectorize-loops -vectorize-slp -analyzer-output=html -analyzer-config stable-report-filename=true -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2023-05-10-133810-16478-1 -x c++ /build/source/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp
1//===- SValBuilder.cpp - Basic class for all SValBuilder implementations --===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines SValBuilder, the base class for all (complete) SValBuilder
10// implementations.
11//
12//===----------------------------------------------------------------------===//
13
14#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
15#include "clang/AST/ASTContext.h"
16#include "clang/AST/Decl.h"
17#include "clang/AST/DeclCXX.h"
18#include "clang/AST/ExprCXX.h"
19#include "clang/AST/ExprObjC.h"
20#include "clang/AST/Stmt.h"
21#include "clang/AST/Type.h"
22#include "clang/Analysis/AnalysisDeclContext.h"
23#include "clang/Basic/LLVM.h"
24#include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h"
25#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
26#include "clang/StaticAnalyzer/Core/PathSensitive/BasicValueFactory.h"
27#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
28#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
29#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
30#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
31#include "clang/StaticAnalyzer/Core/PathSensitive/SValVisitor.h"
32#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
33#include "clang/StaticAnalyzer/Core/PathSensitive/Store.h"
34#include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
35#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
36#include "llvm/ADT/APSInt.h"
37#include "llvm/Support/Casting.h"
38#include "llvm/Support/Compiler.h"
39#include <cassert>
40#include <optional>
41#include <tuple>
42
43using namespace clang;
44using namespace ento;
45
46//===----------------------------------------------------------------------===//
47// Basic SVal creation.
48//===----------------------------------------------------------------------===//
49
50void SValBuilder::anchor() {}
51
52SValBuilder::SValBuilder(llvm::BumpPtrAllocator &alloc, ASTContext &context,
53 ProgramStateManager &stateMgr)
54 : Context(context), BasicVals(context, alloc),
55 SymMgr(context, BasicVals, alloc), MemMgr(context, alloc),
56 StateMgr(stateMgr),
57 AnOpts(
58 stateMgr.getOwningEngine().getAnalysisManager().getAnalyzerOptions()),
59 ArrayIndexTy(context.LongLongTy),
60 ArrayIndexWidth(context.getTypeSize(ArrayIndexTy)) {}
61
62DefinedOrUnknownSVal SValBuilder::makeZeroVal(QualType type) {
63 if (Loc::isLocType(type))
64 return makeNullWithType(type);
65
66 if (type->isIntegralOrEnumerationType())
67 return makeIntVal(0, type);
68
69 if (type->isArrayType() || type->isRecordType() || type->isVectorType() ||
70 type->isAnyComplexType())
71 return makeCompoundVal(type, BasicVals.getEmptySValList());
72
73 // FIXME: Handle floats.
74 return UnknownVal();
75}
76
77nonloc::SymbolVal SValBuilder::makeNonLoc(const SymExpr *lhs,
78 BinaryOperator::Opcode op,
79 const llvm::APSInt &rhs,
80 QualType type) {
81 // The Environment ensures we always get a persistent APSInt in
82 // BasicValueFactory, so we don't need to get the APSInt from
83 // BasicValueFactory again.
84 assert(lhs)(static_cast <bool> (lhs) ? void (0) : __assert_fail ("lhs"
, "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp", 84, __extension__
__PRETTY_FUNCTION__));
85 assert(!Loc::isLocType(type))(static_cast <bool> (!Loc::isLocType(type)) ? void (0) :
__assert_fail ("!Loc::isLocType(type)", "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 85, __extension__ __PRETTY_FUNCTION__));
86 return nonloc::SymbolVal(SymMgr.getSymIntExpr(lhs, op, rhs, type));
87}
88
89nonloc::SymbolVal SValBuilder::makeNonLoc(const llvm::APSInt &lhs,
90 BinaryOperator::Opcode op,
91 const SymExpr *rhs, QualType type) {
92 assert(rhs)(static_cast <bool> (rhs) ? void (0) : __assert_fail ("rhs"
, "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp", 92, __extension__
__PRETTY_FUNCTION__));
93 assert(!Loc::isLocType(type))(static_cast <bool> (!Loc::isLocType(type)) ? void (0) :
__assert_fail ("!Loc::isLocType(type)", "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 93, __extension__ __PRETTY_FUNCTION__));
94 return nonloc::SymbolVal(SymMgr.getIntSymExpr(lhs, op, rhs, type));
95}
96
97nonloc::SymbolVal SValBuilder::makeNonLoc(const SymExpr *lhs,
98 BinaryOperator::Opcode op,
99 const SymExpr *rhs, QualType type) {
100 assert(lhs && rhs)(static_cast <bool> (lhs && rhs) ? void (0) : __assert_fail
("lhs && rhs", "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 100, __extension__ __PRETTY_FUNCTION__));
101 assert(!Loc::isLocType(type))(static_cast <bool> (!Loc::isLocType(type)) ? void (0) :
__assert_fail ("!Loc::isLocType(type)", "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 101, __extension__ __PRETTY_FUNCTION__));
102 return nonloc::SymbolVal(SymMgr.getSymSymExpr(lhs, op, rhs, type));
103}
104
105NonLoc SValBuilder::makeNonLoc(const SymExpr *operand, UnaryOperator::Opcode op,
106 QualType type) {
107 assert(operand)(static_cast <bool> (operand) ? void (0) : __assert_fail
("operand", "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp",
107, __extension__ __PRETTY_FUNCTION__));
108 assert(!Loc::isLocType(type))(static_cast <bool> (!Loc::isLocType(type)) ? void (0) :
__assert_fail ("!Loc::isLocType(type)", "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 108, __extension__ __PRETTY_FUNCTION__));
109 return nonloc::SymbolVal(SymMgr.getUnarySymExpr(operand, op, type));
110}
111
112nonloc::SymbolVal SValBuilder::makeNonLoc(const SymExpr *operand,
113 QualType fromTy, QualType toTy) {
114 assert(operand)(static_cast <bool> (operand) ? void (0) : __assert_fail
("operand", "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp",
114, __extension__ __PRETTY_FUNCTION__));
115 assert(!Loc::isLocType(toTy))(static_cast <bool> (!Loc::isLocType(toTy)) ? void (0) :
__assert_fail ("!Loc::isLocType(toTy)", "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 115, __extension__ __PRETTY_FUNCTION__));
116 if (fromTy == toTy)
117 return operand;
118 return nonloc::SymbolVal(SymMgr.getCastSymbol(operand, fromTy, toTy));
119}
120
121SVal SValBuilder::convertToArrayIndex(SVal val) {
122 if (val.isUnknownOrUndef())
123 return val;
124
125 // Common case: we have an appropriately sized integer.
126 if (std::optional<nonloc::ConcreteInt> CI =
127 val.getAs<nonloc::ConcreteInt>()) {
128 const llvm::APSInt& I = CI->getValue();
129 if (I.getBitWidth() == ArrayIndexWidth && I.isSigned())
130 return val;
131 }
132
133 return evalCast(val, ArrayIndexTy, QualType{});
134}
135
136nonloc::ConcreteInt SValBuilder::makeBoolVal(const CXXBoolLiteralExpr *boolean){
137 return makeTruthVal(boolean->getValue());
138}
139
140DefinedOrUnknownSVal
141SValBuilder::getRegionValueSymbolVal(const TypedValueRegion *region) {
142 QualType T = region->getValueType();
143
144 if (T->isNullPtrType())
145 return makeZeroVal(T);
146
147 if (!SymbolManager::canSymbolicate(T))
148 return UnknownVal();
149
150 SymbolRef sym = SymMgr.getRegionValueSymbol(region);
151
152 if (Loc::isLocType(T))
153 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
154
155 return nonloc::SymbolVal(sym);
156}
157
158DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const void *SymbolTag,
159 const Expr *Ex,
160 const LocationContext *LCtx,
161 unsigned Count) {
162 QualType T = Ex->getType();
163
164 if (T->isNullPtrType())
165 return makeZeroVal(T);
166
167 // Compute the type of the result. If the expression is not an R-value, the
168 // result should be a location.
169 QualType ExType = Ex->getType();
170 if (Ex->isGLValue())
171 T = LCtx->getAnalysisDeclContext()->getASTContext().getPointerType(ExType);
172
173 return conjureSymbolVal(SymbolTag, Ex, LCtx, T, Count);
174}
175
176DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const void *symbolTag,
177 const Expr *expr,
178 const LocationContext *LCtx,
179 QualType type,
180 unsigned count) {
181 if (type->isNullPtrType())
182 return makeZeroVal(type);
183
184 if (!SymbolManager::canSymbolicate(type))
185 return UnknownVal();
186
187 SymbolRef sym = SymMgr.conjureSymbol(expr, LCtx, type, count, symbolTag);
188
189 if (Loc::isLocType(type))
190 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
191
192 return nonloc::SymbolVal(sym);
193}
194
195DefinedOrUnknownSVal SValBuilder::conjureSymbolVal(const Stmt *stmt,
196 const LocationContext *LCtx,
197 QualType type,
198 unsigned visitCount) {
199 if (type->isNullPtrType())
200 return makeZeroVal(type);
201
202 if (!SymbolManager::canSymbolicate(type))
203 return UnknownVal();
204
205 SymbolRef sym = SymMgr.conjureSymbol(stmt, LCtx, type, visitCount);
206
207 if (Loc::isLocType(type))
208 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
209
210 return nonloc::SymbolVal(sym);
211}
212
213DefinedOrUnknownSVal
214SValBuilder::getConjuredHeapSymbolVal(const Expr *E,
215 const LocationContext *LCtx,
216 unsigned VisitCount) {
217 QualType T = E->getType();
218 return getConjuredHeapSymbolVal(E, LCtx, T, VisitCount);
219}
220
221DefinedOrUnknownSVal
222SValBuilder::getConjuredHeapSymbolVal(const Expr *E,
223 const LocationContext *LCtx,
224 QualType type, unsigned VisitCount) {
225 assert(Loc::isLocType(type))(static_cast <bool> (Loc::isLocType(type)) ? void (0) :
__assert_fail ("Loc::isLocType(type)", "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp"
, 225, __extension__ __PRETTY_FUNCTION__));
226 assert(SymbolManager::canSymbolicate(type))(static_cast <bool> (SymbolManager::canSymbolicate(type
)) ? void (0) : __assert_fail ("SymbolManager::canSymbolicate(type)"
, "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp", 226, __extension__
__PRETTY_FUNCTION__));
227 if (type->isNullPtrType())
228 return makeZeroVal(type);
229
230 SymbolRef sym = SymMgr.conjureSymbol(E, LCtx, type, VisitCount);
231 return loc::MemRegionVal(MemMgr.getSymbolicHeapRegion(sym));
232}
233
234DefinedSVal SValBuilder::getMetadataSymbolVal(const void *symbolTag,
235 const MemRegion *region,
236 const Expr *expr, QualType type,
237 const LocationContext *LCtx,
238 unsigned count) {
239 assert(SymbolManager::canSymbolicate(type) && "Invalid metadata symbol type")(static_cast <bool> (SymbolManager::canSymbolicate(type
) && "Invalid metadata symbol type") ? void (0) : __assert_fail
("SymbolManager::canSymbolicate(type) && \"Invalid metadata symbol type\""
, "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp", 239, __extension__
__PRETTY_FUNCTION__));
240
241 SymbolRef sym =
242 SymMgr.getMetadataSymbol(region, expr, type, LCtx, count, symbolTag);
243
244 if (Loc::isLocType(type))
245 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
246
247 return nonloc::SymbolVal(sym);
248}
249
250DefinedOrUnknownSVal
251SValBuilder::getDerivedRegionValueSymbolVal(SymbolRef parentSymbol,
252 const TypedValueRegion *region) {
253 QualType T = region->getValueType();
254
255 if (T->isNullPtrType())
256 return makeZeroVal(T);
257
258 if (!SymbolManager::canSymbolicate(T))
259 return UnknownVal();
260
261 SymbolRef sym = SymMgr.getDerivedSymbol(parentSymbol, region);
262
263 if (Loc::isLocType(T))
264 return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
265
266 return nonloc::SymbolVal(sym);
267}
268
269DefinedSVal SValBuilder::getMemberPointer(const NamedDecl *ND) {
270 assert(!ND || (isa<CXXMethodDecl, FieldDecl, IndirectFieldDecl>(ND)))(static_cast <bool> (!ND || (isa<CXXMethodDecl, FieldDecl
, IndirectFieldDecl>(ND))) ? void (0) : __assert_fail ("!ND || (isa<CXXMethodDecl, FieldDecl, IndirectFieldDecl>(ND))"
, "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp", 270, __extension__
__PRETTY_FUNCTION__));
271
272 if (const auto *MD = dyn_cast_or_null<CXXMethodDecl>(ND)) {
273 // Sema treats pointers to static member functions as have function pointer
274 // type, so return a function pointer for the method.
275 // We don't need to play a similar trick for static member fields
276 // because these are represented as plain VarDecls and not FieldDecls
277 // in the AST.
278 if (MD->isStatic())
279 return getFunctionPointer(MD);
280 }
281
282 return nonloc::PointerToMember(ND);
283}
284
285DefinedSVal SValBuilder::getFunctionPointer(const FunctionDecl *func) {
286 return loc::MemRegionVal(MemMgr.getFunctionCodeRegion(func));
287}
288
289DefinedSVal SValBuilder::getBlockPointer(const BlockDecl *block,
290 CanQualType locTy,
291 const LocationContext *locContext,
292 unsigned blockCount) {
293 const BlockCodeRegion *BC =
294 MemMgr.getBlockCodeRegion(block, locTy, locContext->getAnalysisDeclContext());
295 const BlockDataRegion *BD = MemMgr.getBlockDataRegion(BC, locContext,
296 blockCount);
297 return loc::MemRegionVal(BD);
298}
299
300std::optional<loc::MemRegionVal>
301SValBuilder::getCastedMemRegionVal(const MemRegion *R, QualType Ty) {
302 if (auto OptR = StateMgr.getStoreManager().castRegion(R, Ty))
303 return loc::MemRegionVal(*OptR);
304 return std::nullopt;
305}
306
307/// Return a memory region for the 'this' object reference.
308loc::MemRegionVal SValBuilder::getCXXThis(const CXXMethodDecl *D,
309 const StackFrameContext *SFC) {
310 return loc::MemRegionVal(
311 getRegionManager().getCXXThisRegion(D->getThisType(), SFC));
312}
313
314/// Return a memory region for the 'this' object reference.
315loc::MemRegionVal SValBuilder::getCXXThis(const CXXRecordDecl *D,
316 const StackFrameContext *SFC) {
317 const Type *T = D->getTypeForDecl();
318 QualType PT = getContext().getPointerType(QualType(T, 0));
319 return loc::MemRegionVal(getRegionManager().getCXXThisRegion(PT, SFC));
320}
321
322std::optional<SVal> SValBuilder::getConstantVal(const Expr *E) {
323 E = E->IgnoreParens();
324
325 switch (E->getStmtClass()) {
326 // Handle expressions that we treat differently from the AST's constant
327 // evaluator.
328 case Stmt::AddrLabelExprClass:
329 return makeLoc(cast<AddrLabelExpr>(E));
330
331 case Stmt::CXXScalarValueInitExprClass:
332 case Stmt::ImplicitValueInitExprClass:
333 return makeZeroVal(E->getType());
334
335 case Stmt::ObjCStringLiteralClass: {
336 const auto *SL = cast<ObjCStringLiteral>(E);
337 return makeLoc(getRegionManager().getObjCStringRegion(SL));
338 }
339
340 case Stmt::StringLiteralClass: {
341 const auto *SL = cast<StringLiteral>(E);
342 return makeLoc(getRegionManager().getStringRegion(SL));
343 }
344
345 case Stmt::PredefinedExprClass: {
346 const auto *PE = cast<PredefinedExpr>(E);
347 assert(PE->getFunctionName() &&(static_cast <bool> (PE->getFunctionName() &&
"Since we analyze only instantiated functions, PredefinedExpr "
"should have a function name.") ? void (0) : __assert_fail (
"PE->getFunctionName() && \"Since we analyze only instantiated functions, PredefinedExpr \" \"should have a function name.\""
, "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp", 349, __extension__
__PRETTY_FUNCTION__))
348 "Since we analyze only instantiated functions, PredefinedExpr "(static_cast <bool> (PE->getFunctionName() &&
"Since we analyze only instantiated functions, PredefinedExpr "
"should have a function name.") ? void (0) : __assert_fail (
"PE->getFunctionName() && \"Since we analyze only instantiated functions, PredefinedExpr \" \"should have a function name.\""
, "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp", 349, __extension__
__PRETTY_FUNCTION__))
349 "should have a function name.")(static_cast <bool> (PE->getFunctionName() &&
"Since we analyze only instantiated functions, PredefinedExpr "
"should have a function name.") ? void (0) : __assert_fail (
"PE->getFunctionName() && \"Since we analyze only instantiated functions, PredefinedExpr \" \"should have a function name.\""
, "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp", 349, __extension__
__PRETTY_FUNCTION__));
350 return makeLoc(getRegionManager().getStringRegion(PE->getFunctionName()));
351 }
352
353 // Fast-path some expressions to avoid the overhead of going through the AST's
354 // constant evaluator
355 case Stmt::CharacterLiteralClass: {
356 const auto *C = cast<CharacterLiteral>(E);
357 return makeIntVal(C->getValue(), C->getType());
358 }
359
360 case Stmt::CXXBoolLiteralExprClass:
361 return makeBoolVal(cast<CXXBoolLiteralExpr>(E));
362
363 case Stmt::TypeTraitExprClass: {
364 const auto *TE = cast<TypeTraitExpr>(E);
365 return makeTruthVal(TE->getValue(), TE->getType());
366 }
367
368 case Stmt::IntegerLiteralClass:
369 return makeIntVal(cast<IntegerLiteral>(E));
370
371 case Stmt::ObjCBoolLiteralExprClass:
372 return makeBoolVal(cast<ObjCBoolLiteralExpr>(E));
373
374 case Stmt::CXXNullPtrLiteralExprClass:
375 return makeNullWithType(E->getType());
376
377 case Stmt::CStyleCastExprClass:
378 case Stmt::CXXFunctionalCastExprClass:
379 case Stmt::CXXConstCastExprClass:
380 case Stmt::CXXReinterpretCastExprClass:
381 case Stmt::CXXStaticCastExprClass:
382 case Stmt::ImplicitCastExprClass: {
383 const auto *CE = cast<CastExpr>(E);
384 switch (CE->getCastKind()) {
385 default:
386 break;
387 case CK_ArrayToPointerDecay:
388 case CK_IntegralToPointer:
389 case CK_NoOp:
390 case CK_BitCast: {
391 const Expr *SE = CE->getSubExpr();
392 std::optional<SVal> Val = getConstantVal(SE);
393 if (!Val)
394 return std::nullopt;
395 return evalCast(*Val, CE->getType(), SE->getType());
396 }
397 }
398 // FALLTHROUGH
399 [[fallthrough]];
400 }
401
402 // If we don't have a special case, fall back to the AST's constant evaluator.
403 default: {
404 // Don't try to come up with a value for materialized temporaries.
405 if (E->isGLValue())
406 return std::nullopt;
407
408 ASTContext &Ctx = getContext();
409 Expr::EvalResult Result;
410 if (E->EvaluateAsInt(Result, Ctx))
411 return makeIntVal(Result.Val.getInt());
412
413 if (Loc::isLocType(E->getType()))
414 if (E->isNullPointerConstant(Ctx, Expr::NPC_ValueDependentIsNotNull))
415 return makeNullWithType(E->getType());
416
417 return std::nullopt;
418 }
419 }
420}
421
422SVal SValBuilder::makeSymExprValNN(BinaryOperator::Opcode Op,
423 NonLoc LHS, NonLoc RHS,
424 QualType ResultTy) {
425 SymbolRef symLHS = LHS.getAsSymbol();
426 SymbolRef symRHS = RHS.getAsSymbol();
427
428 // TODO: When the Max Complexity is reached, we should conjure a symbol
429 // instead of generating an Unknown value and propagate the taint info to it.
430 const unsigned MaxComp = AnOpts.MaxSymbolComplexity;
431
432 if (symLHS && symRHS &&
433 (symLHS->computeComplexity() + symRHS->computeComplexity()) < MaxComp)
434 return makeNonLoc(symLHS, Op, symRHS, ResultTy);
435
436 if (symLHS && symLHS->computeComplexity() < MaxComp)
437 if (std::optional<nonloc::ConcreteInt> rInt =
438 RHS.getAs<nonloc::ConcreteInt>())
439 return makeNonLoc(symLHS, Op, rInt->getValue(), ResultTy);
440
441 if (symRHS && symRHS->computeComplexity() < MaxComp)
442 if (std::optional<nonloc::ConcreteInt> lInt =
443 LHS.getAs<nonloc::ConcreteInt>())
444 return makeNonLoc(lInt->getValue(), Op, symRHS, ResultTy);
445
446 return UnknownVal();
447}
448
449SVal SValBuilder::evalMinus(NonLoc X) {
450 switch (X.getSubKind()) {
451 case nonloc::ConcreteIntKind:
452 return makeIntVal(-X.castAs<nonloc::ConcreteInt>().getValue());
453 case nonloc::SymbolValKind:
454 return makeNonLoc(X.castAs<nonloc::SymbolVal>().getSymbol(), UO_Minus,
455 X.getType(Context));
456 default:
457 return UnknownVal();
458 }
459}
460
461SVal SValBuilder::evalComplement(NonLoc X) {
462 switch (X.getSubKind()) {
463 case nonloc::ConcreteIntKind:
464 return makeIntVal(~X.castAs<nonloc::ConcreteInt>().getValue());
465 case nonloc::SymbolValKind:
466 return makeNonLoc(X.castAs<nonloc::SymbolVal>().getSymbol(), UO_Not,
467 X.getType(Context));
468 default:
469 return UnknownVal();
470 }
471}
472
473SVal SValBuilder::evalUnaryOp(ProgramStateRef state, UnaryOperator::Opcode opc,
474 SVal operand, QualType type) {
475 auto OpN = operand.getAs<NonLoc>();
476 if (!OpN)
477 return UnknownVal();
478
479 if (opc == UO_Minus)
480 return evalMinus(*OpN);
481 if (opc == UO_Not)
482 return evalComplement(*OpN);
483 llvm_unreachable("Unexpected unary operator")::llvm::llvm_unreachable_internal("Unexpected unary operator"
, "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp", 483);
484}
485
486SVal SValBuilder::evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op,
487 SVal lhs, SVal rhs, QualType type) {
488 if (lhs.isUndef() || rhs.isUndef())
489 return UndefinedVal();
490
491 if (lhs.isUnknown() || rhs.isUnknown())
492 return UnknownVal();
493
494 if (isa<nonloc::LazyCompoundVal>(lhs) || isa<nonloc::LazyCompoundVal>(rhs)) {
495 return UnknownVal();
496 }
497
498 if (op == BinaryOperatorKind::BO_Cmp) {
499 // We can't reason about C++20 spaceship operator yet.
500 //
501 // FIXME: Support C++20 spaceship operator.
502 // The main problem here is that the result is not integer.
503 return UnknownVal();
504 }
505
506 if (std::optional<Loc> LV = lhs.getAs<Loc>()) {
507 if (std::optional<Loc> RV = rhs.getAs<Loc>())
508 return evalBinOpLL(state, op, *LV, *RV, type);
509
510 return evalBinOpLN(state, op, *LV, rhs.castAs<NonLoc>(), type);
511 }
512
513 if (const std::optional<Loc> RV = rhs.getAs<Loc>()) {
514 const auto IsCommutative = [](BinaryOperatorKind Op) {
515 return Op == BO_Mul || Op == BO_Add || Op == BO_And || Op == BO_Xor ||
516 Op == BO_Or;
517 };
518
519 if (IsCommutative(op)) {
520 // Swap operands.
521 return evalBinOpLN(state, op, *RV, lhs.castAs<NonLoc>(), type);
522 }
523
524 // If the right operand is a concrete int location then we have nothing
525 // better but to treat it as a simple nonloc.
526 if (auto RV = rhs.getAs<loc::ConcreteInt>()) {
527 const nonloc::ConcreteInt RhsAsLoc = makeIntVal(RV->getValue());
528 return evalBinOpNN(state, op, lhs.castAs<NonLoc>(), RhsAsLoc, type);
529 }
530 }
531
532 return evalBinOpNN(state, op, lhs.castAs<NonLoc>(), rhs.castAs<NonLoc>(),
533 type);
534}
535
536ConditionTruthVal SValBuilder::areEqual(ProgramStateRef state, SVal lhs,
537 SVal rhs) {
538 return state->isNonNull(evalEQ(state, lhs, rhs));
Called C++ object pointer is null
539}
540
541SVal SValBuilder::evalEQ(ProgramStateRef state, SVal lhs, SVal rhs) {
542 return evalBinOp(state, BO_EQ, lhs, rhs, getConditionType());
543}
544
545DefinedOrUnknownSVal SValBuilder::evalEQ(ProgramStateRef state,
546 DefinedOrUnknownSVal lhs,
547 DefinedOrUnknownSVal rhs) {
548 return evalEQ(state, static_cast<SVal>(lhs), static_cast<SVal>(rhs))
549 .castAs<DefinedOrUnknownSVal>();
550}
551
552/// Recursively check if the pointer types are equal modulo const, volatile,
553/// and restrict qualifiers. Also, assume that all types are similar to 'void'.
554/// Assumes the input types are canonical.
555static bool shouldBeModeledWithNoOp(ASTContext &Context, QualType ToTy,
556 QualType FromTy) {
557 while (Context.UnwrapSimilarTypes(ToTy, FromTy)) {
558 Qualifiers Quals1, Quals2;
559 ToTy = Context.getUnqualifiedArrayType(ToTy, Quals1);
560 FromTy = Context.getUnqualifiedArrayType(FromTy, Quals2);
561
562 // Make sure that non-cvr-qualifiers the other qualifiers (e.g., address
563 // spaces) are identical.
564 Quals1.removeCVRQualifiers();
565 Quals2.removeCVRQualifiers();
566 if (Quals1 != Quals2)
567 return false;
568 }
569
570 // If we are casting to void, the 'From' value can be used to represent the
571 // 'To' value.
572 //
573 // FIXME: Doing this after unwrapping the types doesn't make any sense. A
574 // cast from 'int**' to 'void**' is not special in the way that a cast from
575 // 'int*' to 'void*' is.
576 if (ToTy->isVoidType())
577 return true;
578
579 if (ToTy != FromTy)
580 return false;
581
582 return true;
583}
584
585// Handles casts of type CK_IntegralCast.
586// At the moment, this function will redirect to evalCast, except when the range
587// of the original value is known to be greater than the max of the target type.
588SVal SValBuilder::evalIntegralCast(ProgramStateRef state, SVal val,
589 QualType castTy, QualType originalTy) {
590 // No truncations if target type is big enough.
591 if (getContext().getTypeSize(castTy) >= getContext().getTypeSize(originalTy))
592 return evalCast(val, castTy, originalTy);
593
594 SymbolRef se = val.getAsSymbol();
595 if (!se) // Let evalCast handle non symbolic expressions.
596 return evalCast(val, castTy, originalTy);
597
598 // Find the maximum value of the target type.
599 APSIntType ToType(getContext().getTypeSize(castTy),
600 castTy->isUnsignedIntegerType());
601 llvm::APSInt ToTypeMax = ToType.getMaxValue();
602 NonLoc ToTypeMaxVal =
603 makeIntVal(ToTypeMax.isUnsigned() ? ToTypeMax.getZExtValue()
604 : ToTypeMax.getSExtValue(),
605 castTy)
606 .castAs<NonLoc>();
607 // Check the range of the symbol being casted against the maximum value of the
608 // target type.
609 NonLoc FromVal = val.castAs<NonLoc>();
610 QualType CmpTy = getConditionType();
611 NonLoc CompVal =
612 evalBinOpNN(state, BO_LE, FromVal, ToTypeMaxVal, CmpTy).castAs<NonLoc>();
613 ProgramStateRef IsNotTruncated, IsTruncated;
614 std::tie(IsNotTruncated, IsTruncated) = state->assume(CompVal);
615 if (!IsNotTruncated && IsTruncated) {
616 // Symbol is truncated so we evaluate it as a cast.
617 return makeNonLoc(se, originalTy, castTy);
618 }
619 return evalCast(val, castTy, originalTy);
620}
621
622//===----------------------------------------------------------------------===//
623// Cast method.
624// `evalCast` and its helper `EvalCastVisitor`
625//===----------------------------------------------------------------------===//
626
627namespace {
628class EvalCastVisitor : public SValVisitor<EvalCastVisitor, SVal> {
629private:
630 SValBuilder &VB;
631 ASTContext &Context;
632 QualType CastTy, OriginalTy;
633
634public:
635 EvalCastVisitor(SValBuilder &VB, QualType CastTy, QualType OriginalTy)
636 : VB(VB), Context(VB.getContext()), CastTy(CastTy),
637 OriginalTy(OriginalTy) {}
638
639 SVal Visit(SVal V) {
640 if (CastTy.isNull())
641 return V;
642
643 CastTy = Context.getCanonicalType(CastTy);
644
645 const bool IsUnknownOriginalType = OriginalTy.isNull();
646 if (!IsUnknownOriginalType) {
647 OriginalTy = Context.getCanonicalType(OriginalTy);
648
649 if (CastTy == OriginalTy)
650 return V;
651
652 // FIXME: Move this check to the most appropriate
653 // evalCastKind/evalCastSubKind function. For const casts, casts to void,
654 // just propagate the value.
655 if (!CastTy->isVariableArrayType() && !OriginalTy->isVariableArrayType())
656 if (shouldBeModeledWithNoOp(Context, Context.getPointerType(CastTy),
657 Context.getPointerType(OriginalTy)))
658 return V;
659 }
660 return SValVisitor::Visit(V);
661 }
662 SVal VisitUndefinedVal(UndefinedVal V) { return V; }
663 SVal VisitUnknownVal(UnknownVal V) { return V; }
664 SVal VisitLocConcreteInt(loc::ConcreteInt V) {
665 // Pointer to bool.
666 if (CastTy->isBooleanType())
667 return VB.makeTruthVal(V.getValue().getBoolValue(), CastTy);
668
669 // Pointer to integer.
670 if (CastTy->isIntegralOrEnumerationType()) {
671 llvm::APSInt Value = V.getValue();
672 VB.getBasicValueFactory().getAPSIntType(CastTy).apply(Value);
673 return VB.makeIntVal(Value);
674 }
675
676 // Pointer to any pointer.
677 if (Loc::isLocType(CastTy)) {
678 llvm::APSInt Value = V.getValue();
679 VB.getBasicValueFactory().getAPSIntType(CastTy).apply(Value);
680 return loc::ConcreteInt(VB.getBasicValueFactory().getValue(Value));
681 }
682
683 // Pointer to whatever else.
684 return UnknownVal();
685 }
686 SVal VisitLocGotoLabel(loc::GotoLabel V) {
687 // Pointer to bool.
688 if (CastTy->isBooleanType())
689 // Labels are always true.
690 return VB.makeTruthVal(true, CastTy);
691
692 // Pointer to integer.
693 if (CastTy->isIntegralOrEnumerationType()) {
694 const unsigned BitWidth = Context.getIntWidth(CastTy);
695 return VB.makeLocAsInteger(V, BitWidth);
696 }
697
698 const bool IsUnknownOriginalType = OriginalTy.isNull();
699 if (!IsUnknownOriginalType) {
700 // Array to pointer.
701 if (isa<ArrayType>(OriginalTy))
702 if (CastTy->isPointerType() || CastTy->isReferenceType())
703 return UnknownVal();
704 }
705
706 // Pointer to any pointer.
707 if (Loc::isLocType(CastTy))
708 return V;
709
710 // Pointer to whatever else.
711 return UnknownVal();
712 }
713 SVal VisitLocMemRegionVal(loc::MemRegionVal V) {
714 // Pointer to bool.
715 if (CastTy->isBooleanType()) {
716 const MemRegion *R = V.getRegion();
717 if (const FunctionCodeRegion *FTR = dyn_cast<FunctionCodeRegion>(R))
718 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(FTR->getDecl()))
719 if (FD->isWeak())
720 // FIXME: Currently we are using an extent symbol here,
721 // because there are no generic region address metadata
722 // symbols to use, only content metadata.
723 return nonloc::SymbolVal(
724 VB.getSymbolManager().getExtentSymbol(FTR));
725
726 if (const SymbolicRegion *SymR = R->getSymbolicBase()) {
727 SymbolRef Sym = SymR->getSymbol();
728 QualType Ty = Sym->getType();
729 // This change is needed for architectures with varying
730 // pointer widths. See the amdgcn opencl reproducer with
731 // this change as an example: solver-sym-simplification-ptr-bool.cl
732 if (!Ty->isReferenceType())
733 return VB.makeNonLoc(
734 Sym, BO_NE, VB.getBasicValueFactory().getZeroWithTypeSize(Ty),
735 CastTy);
736 }
737 // Non-symbolic memory regions are always true.
738 return VB.makeTruthVal(true, CastTy);
739 }
740
741 const bool IsUnknownOriginalType = OriginalTy.isNull();
742 // Try to cast to array
743 const auto *ArrayTy =
744 IsUnknownOriginalType
745 ? nullptr
746 : dyn_cast<ArrayType>(OriginalTy.getCanonicalType());
747
748 // Pointer to integer.
749 if (CastTy->isIntegralOrEnumerationType()) {
750 SVal Val = V;
751 // Array to integer.
752 if (ArrayTy) {
753 // We will always decay to a pointer.
754 QualType ElemTy = ArrayTy->getElementType();
755 Val = VB.getStateManager().ArrayToPointer(V, ElemTy);
756 // FIXME: Keep these here for now in case we decide soon that we
757 // need the original decayed type.
758 // QualType elemTy = cast<ArrayType>(originalTy)->getElementType();
759 // QualType pointerTy = C.getPointerType(elemTy);
760 }
761 const unsigned BitWidth = Context.getIntWidth(CastTy);
762 return VB.makeLocAsInteger(Val.castAs<Loc>(), BitWidth);
763 }
764
765 // Pointer to pointer.
766 if (Loc::isLocType(CastTy)) {
767
768 if (IsUnknownOriginalType) {
769 // When retrieving symbolic pointer and expecting a non-void pointer,
770 // wrap them into element regions of the expected type if necessary.
771 // It is necessary to make sure that the retrieved value makes sense,
772 // because there's no other cast in the AST that would tell us to cast
773 // it to the correct pointer type. We might need to do that for non-void
774 // pointers as well.
775 // FIXME: We really need a single good function to perform casts for us
776 // correctly every time we need it.
777 const MemRegion *R = V.getRegion();
778 if (CastTy->isPointerType() && !CastTy->isVoidPointerType()) {
779 if (const auto *SR = dyn_cast<SymbolicRegion>(R)) {
780 QualType SRTy = SR->getSymbol()->getType();
781
782 auto HasSameUnqualifiedPointeeType = [](QualType ty1,
783 QualType ty2) {
784 return ty1->getPointeeType().getCanonicalType().getTypePtr() ==
785 ty2->getPointeeType().getCanonicalType().getTypePtr();
786 };
787 if (!HasSameUnqualifiedPointeeType(SRTy, CastTy)) {
788 if (auto OptMemRegV = VB.getCastedMemRegionVal(SR, CastTy))
789 return *OptMemRegV;
790 }
791 }
792 }
793 // Next fixes pointer dereference using type different from its initial
794 // one. See PR37503 and PR49007 for details.
795 if (const auto *ER = dyn_cast<ElementRegion>(R)) {
796 if (auto OptMemRegV = VB.getCastedMemRegionVal(ER, CastTy))
797 return *OptMemRegV;
798 }
799
800 return V;
801 }
802
803 if (OriginalTy->isIntegralOrEnumerationType() ||
804 OriginalTy->isBlockPointerType() ||
805 OriginalTy->isFunctionPointerType())
806 return V;
807
808 // Array to pointer.
809 if (ArrayTy) {
810 // Are we casting from an array to a pointer? If so just pass on
811 // the decayed value.
812 if (CastTy->isPointerType() || CastTy->isReferenceType()) {
813 // We will always decay to a pointer.
814 QualType ElemTy = ArrayTy->getElementType();
815 return VB.getStateManager().ArrayToPointer(V, ElemTy);
816 }
817 // Are we casting from an array to an integer? If so, cast the decayed
818 // pointer value to an integer.
819 assert(CastTy->isIntegralOrEnumerationType())(static_cast <bool> (CastTy->isIntegralOrEnumerationType
()) ? void (0) : __assert_fail ("CastTy->isIntegralOrEnumerationType()"
, "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp", 819, __extension__
__PRETTY_FUNCTION__));
820 }
821
822 // Other pointer to pointer.
823 assert(Loc::isLocType(OriginalTy) || OriginalTy->isFunctionType() ||(static_cast <bool> (Loc::isLocType(OriginalTy) || OriginalTy
->isFunctionType() || CastTy->isReferenceType()) ? void
(0) : __assert_fail ("Loc::isLocType(OriginalTy) || OriginalTy->isFunctionType() || CastTy->isReferenceType()"
, "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp", 824, __extension__
__PRETTY_FUNCTION__))
824 CastTy->isReferenceType())(static_cast <bool> (Loc::isLocType(OriginalTy) || OriginalTy
->isFunctionType() || CastTy->isReferenceType()) ? void
(0) : __assert_fail ("Loc::isLocType(OriginalTy) || OriginalTy->isFunctionType() || CastTy->isReferenceType()"
, "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp", 824, __extension__
__PRETTY_FUNCTION__));
825
826 // We get a symbolic function pointer for a dereference of a function
827 // pointer, but it is of function type. Example:
828
829 // struct FPRec {
830 // void (*my_func)(int * x);
831 // };
832 //
833 // int bar(int x);
834 //
835 // int f1_a(struct FPRec* foo) {
836 // int x;
837 // (*foo->my_func)(&x);
838 // return bar(x)+1; // no-warning
839 // }
840
841 // Get the result of casting a region to a different type.
842 const MemRegion *R = V.getRegion();
843 if (auto OptMemRegV = VB.getCastedMemRegionVal(R, CastTy))
844 return *OptMemRegV;
845 }
846
847 // Pointer to whatever else.
848 // FIXME: There can be gross cases where one casts the result of a
849 // function (that returns a pointer) to some other value that happens to
850 // fit within that pointer value. We currently have no good way to model
851 // such operations. When this happens, the underlying operation is that
852 // the caller is reasoning about bits. Conceptually we are layering a
853 // "view" of a location on top of those bits. Perhaps we need to be more
854 // lazy about mutual possible views, even on an SVal? This may be
855 // necessary for bit-level reasoning as well.
856 return UnknownVal();
857 }
858 SVal VisitNonLocCompoundVal(nonloc::CompoundVal V) {
859 // Compound to whatever.
860 return UnknownVal();
861 }
862 SVal VisitNonLocConcreteInt(nonloc::ConcreteInt V) {
863 auto CastedValue = [V, this]() {
864 llvm::APSInt Value = V.getValue();
865 VB.getBasicValueFactory().getAPSIntType(CastTy).apply(Value);
866 return Value;
867 };
868
869 // Integer to bool.
870 if (CastTy->isBooleanType())
871 return VB.makeTruthVal(V.getValue().getBoolValue(), CastTy);
872
873 // Integer to pointer.
874 if (CastTy->isIntegralOrEnumerationType())
875 return VB.makeIntVal(CastedValue());
876
877 // Integer to pointer.
878 if (Loc::isLocType(CastTy))
879 return VB.makeIntLocVal(CastedValue());
880
881 // Pointer to whatever else.
882 return UnknownVal();
883 }
884 SVal VisitNonLocLazyCompoundVal(nonloc::LazyCompoundVal V) {
885 // LazyCompound to whatever.
886 return UnknownVal();
887 }
888 SVal VisitNonLocLocAsInteger(nonloc::LocAsInteger V) {
889 Loc L = V.getLoc();
890
891 // Pointer as integer to bool.
892 if (CastTy->isBooleanType())
893 // Pass to Loc function.
894 return Visit(L);
895
896 const bool IsUnknownOriginalType = OriginalTy.isNull();
897 // Pointer as integer to pointer.
898 if (!IsUnknownOriginalType && Loc::isLocType(CastTy) &&
899 OriginalTy->isIntegralOrEnumerationType()) {
900 if (const MemRegion *R = L.getAsRegion())
901 if (auto OptMemRegV = VB.getCastedMemRegionVal(R, CastTy))
902 return *OptMemRegV;
903 return L;
904 }
905
906 // Pointer as integer with region to integer/pointer.
907 const MemRegion *R = L.getAsRegion();
908 if (!IsUnknownOriginalType && R) {
909 if (CastTy->isIntegralOrEnumerationType())
910 return VisitLocMemRegionVal(loc::MemRegionVal(R));
911
912 if (Loc::isLocType(CastTy)) {
913 assert(Loc::isLocType(OriginalTy) || OriginalTy->isFunctionType() ||(static_cast <bool> (Loc::isLocType(OriginalTy) || OriginalTy
->isFunctionType() || CastTy->isReferenceType()) ? void
(0) : __assert_fail ("Loc::isLocType(OriginalTy) || OriginalTy->isFunctionType() || CastTy->isReferenceType()"
, "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp", 914, __extension__
__PRETTY_FUNCTION__))
914 CastTy->isReferenceType())(static_cast <bool> (Loc::isLocType(OriginalTy) || OriginalTy
->isFunctionType() || CastTy->isReferenceType()) ? void
(0) : __assert_fail ("Loc::isLocType(OriginalTy) || OriginalTy->isFunctionType() || CastTy->isReferenceType()"
, "clang/lib/StaticAnalyzer/Core/SValBuilder.cpp", 914, __extension__
__PRETTY_FUNCTION__));
915 // Delegate to store manager to get the result of casting a region to a
916 // different type. If the MemRegion* returned is NULL, this expression
917 // Evaluates to UnknownVal.
918 if (auto OptMemRegV = VB.getCastedMemRegionVal(R, CastTy))
919 return *OptMemRegV;
920 }
921 } else {
922 if (Loc::isLocType(CastTy)) {
923 if (IsUnknownOriginalType)
924 return VisitLocMemRegionVal(loc::MemRegionVal(R));
925 return L;
926 }
927
928 SymbolRef SE = nullptr;
929 if (R) {
930 if (const SymbolicRegion *SR =
931 dyn_cast<SymbolicRegion>(R->StripCasts())) {
932 SE = SR->getSymbol();
933 }
934 }
935
936 if (!CastTy->isFloatingType() || !SE || SE->getType()->isFloatingType()) {
937 // FIXME: Correctly support promotions/truncations.
938 const unsigned CastSize = Context.getIntWidth(CastTy);
939 if (CastSize == V.getNumBits())
940 return V;
941
942 return VB.makeLocAsInteger(L, CastSize);
943 }
944 }
945
946 // Pointer as integer to whatever else.
947 return UnknownVal();
948 }
949 SVal VisitNonLocSymbolVal(nonloc::SymbolVal V) {
950 SymbolRef SE = V.getSymbol();
951
952 const bool IsUnknownOriginalType = OriginalTy.isNull();
953 // Symbol to bool.
954 if (!IsUnknownOriginalType && CastTy->isBooleanType()) {
955 // Non-float to bool.
956 if (Loc::isLocType(OriginalTy) ||
957 OriginalTy->isIntegralOrEnumerationType() ||
958 OriginalTy->isMemberPointerType()) {
959 BasicValueFactory &BVF = VB.getBasicValueFactory();
960 return VB.makeNonLoc(SE, BO_NE, BVF.getValue(0, SE->getType()), CastTy);
961 }
962 } else {
963 // Symbol to integer, float.
964 QualType T = Context.getCanonicalType(SE->getType());
965
966 // Produce SymbolCast if CastTy and T are different integers.
967 // NOTE: In the end the type of SymbolCast shall be equal to CastTy.
968 if (T->isIntegralOrUnscopedEnumerationType() &&
969 CastTy->isIntegralOrUnscopedEnumerationType()) {
970 AnalyzerOptions &Opts = VB.getStateManager()
971 .getOwningEngine()
972 .getAnalysisManager()
973 .getAnalyzerOptions();
974 // If appropriate option is disabled, ignore the cast.
975 // NOTE: ShouldSupportSymbolicIntegerCasts is `false` by default.
976 if (!Opts.ShouldSupportSymbolicIntegerCasts)
977 return V;
978 return simplifySymbolCast(V, CastTy);
979 }
980 if (!Loc::isLocType(CastTy))
981 if (!IsUnknownOriginalType || !CastTy->isFloatingType() ||
982 T->isFloatingType())
983 return VB.makeNonLoc(SE, T, CastTy);
984 }
985
986 // Symbol to pointer and whatever else.
987 return UnknownVal();
988 }
989 SVal VisitNonLocPointerToMember(nonloc::PointerToMember V) {
990 // Member pointer to whatever.
991 return V;
992 }
993
994 /// Reduce cast expression by removing redundant intermediate casts.
995 /// E.g.
996 /// - (char)(short)(int x) -> (char)(int x)
997 /// - (int)(int x) -> int x
998 ///
999 /// \param V -- SymbolVal, which pressumably contains SymbolCast or any symbol
1000 /// that is applicable for cast operation.
1001 /// \param CastTy -- QualType, which `V` shall be cast to.
1002 /// \return SVal with simplified cast expression.
1003 /// \note: Currently only support integral casts.
1004 nonloc::SymbolVal simplifySymbolCast(nonloc::SymbolVal V, QualType CastTy) {
1005 // We use seven conditions to recognize a simplification case.
1006 // For the clarity let `CastTy` be `C`, SE->getType() - `T`, root type -
1007 // `R`, prefix `u` for unsigned, `s` for signed, no prefix - any sign: E.g.
1008 // (char)(short)(uint x)
1009 // ( sC )( sT )( uR x)
1010 //
1011 // C === R (the same type)
1012 // (char)(char x) -> (char x)
1013 // (long)(long x) -> (long x)
1014 // Note: Comparisons operators below are for bit width.
1015 // C == T
1016 // (short)(short)(int x) -> (short)(int x)
1017 // (int)(long)(char x) -> (int)(char x) (sizeof(long) == sizeof(int))
1018 // (long)(ullong)(char x) -> (long)(char x) (sizeof(long) ==
1019 // sizeof(ullong))
1020 // C < T
1021 // (short)(int)(char x) -> (short)(char x)
1022 // (char)(int)(short x) -> (char)(short x)
1023 // (short)(int)(short x) -> (short x)
1024 // C > T > uR
1025 // (int)(short)(uchar x) -> (int)(uchar x)
1026 // (uint)(short)(uchar x) -> (uint)(uchar x)
1027 // (int)(ushort)(uchar x) -> (int)(uchar x)
1028 // C > sT > sR
1029 // (int)(short)(char x) -> (int)(char x)
1030 // (uint)(short)(char x) -> (uint)(char x)
1031 // C > sT == sR
1032 // (int)(char)(char x) -> (int)(char x)
1033 // (uint)(short)(short x) -> (uint)(short x)
1034 // C > uT == uR
1035 // (int)(uchar)(uchar x) -> (int)(uchar x)
1036 // (uint)(ushort)(ushort x) -> (uint)(ushort x)
1037 // (llong)(ulong)(uint x) -> (llong)(uint x) (sizeof(ulong) ==
1038 // sizeof(uint))
1039
1040 SymbolRef SE = V.getSymbol();
1041 QualType T = Context.getCanonicalType(SE->getType());
1042
1043 if (T == CastTy)
1044 return V;
1045
1046 if (!isa<SymbolCast>(SE))
1047 return VB.makeNonLoc(SE, T, CastTy);
1048
1049 SymbolRef RootSym = cast<SymbolCast>(SE)->getOperand();
1050 QualType RT = RootSym->getType().getCanonicalType();
1051
1052 // FIXME support simplification from non-integers.
1053 if (!RT->isIntegralOrEnumerationType())
1054 return VB.makeNonLoc(SE, T, CastTy);
1055
1056 BasicValueFactory &BVF = VB.getBasicValueFactory();
1057 APSIntType CTy = BVF.getAPSIntType(CastTy);
1058 APSIntType TTy = BVF.getAPSIntType(T);
1059
1060 const auto WC = CTy.getBitWidth();
1061 const auto WT = TTy.getBitWidth();
1062
1063 if (WC <= WT) {
1064 const bool isSameType = (RT == CastTy);
1065 if (isSameType)
1066 return nonloc::SymbolVal(RootSym);
1067 return VB.makeNonLoc(RootSym, RT, CastTy);
1068 }
1069
1070 APSIntType RTy = BVF.getAPSIntType(RT);
1071 const auto WR = RTy.getBitWidth();
1072 const bool UT = TTy.isUnsigned();
1073 const bool UR = RTy.isUnsigned();
1074
1075 if (((WT > WR) && (UR || !UT)) || ((WT == WR) && (UT == UR)))
1076 return VB.makeNonLoc(RootSym, RT, CastTy);
1077
1078 return VB.makeNonLoc(SE, T, CastTy);
1079 }
1080};
1081} // end anonymous namespace
1082
1083/// Cast a given SVal to another SVal using given QualType's.
1084/// \param V -- SVal that should be casted.
1085/// \param CastTy -- QualType that V should be casted according to.
1086/// \param OriginalTy -- QualType which is associated to V. It provides
1087/// additional information about what type the cast performs from.
1088/// \returns the most appropriate casted SVal.
1089/// Note: Many cases don't use an exact OriginalTy. It can be extracted
1090/// from SVal or the cast can performs unconditionaly. Always pass OriginalTy!
1091/// It can be crucial in certain cases and generates different results.
1092/// FIXME: If `OriginalTy.isNull()` is true, then cast performs based on CastTy
1093/// only. This behavior is uncertain and should be improved.
1094SVal SValBuilder::evalCast(SVal V, QualType CastTy, QualType OriginalTy) {
1095 EvalCastVisitor TRV{*this, CastTy, OriginalTy};
1096 return TRV.Visit(V);
1097}