1 //=-- ExprEngineC.cpp - ExprEngine support for C expressions ----*- C++ -*-===//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // This file defines ExprEngine's support for C expressions.
12 //===----------------------------------------------------------------------===//
14 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
15 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
17 using namespace clang;
21 void ExprEngine::VisitBinaryOperator(const BinaryOperator* B,
23 ExplodedNodeSet &Dst) {
25 Expr *LHS = B->getLHS()->IgnoreParens();
26 Expr *RHS = B->getRHS()->IgnoreParens();
28 // FIXME: Prechecks eventually go in ::Visit().
29 ExplodedNodeSet CheckedSet;
31 getCheckerManager().runCheckersForPreStmt(CheckedSet, Pred, B, *this);
33 // With both the LHS and RHS evaluated, process the operation itself.
34 for (ExplodedNodeSet::iterator it=CheckedSet.begin(), ei=CheckedSet.end();
37 ProgramStateRef state = (*it)->getState();
38 const LocationContext *LCtx = (*it)->getLocationContext();
39 SVal LeftV = state->getSVal(LHS, LCtx);
40 SVal RightV = state->getSVal(RHS, LCtx);
42 BinaryOperator::Opcode Op = B->getOpcode();
44 if (Op == BO_Assign) {
45 // EXPERIMENTAL: "Conjured" symbols.
46 // FIXME: Handle structs.
47 if (RightV.isUnknown()) {
48 unsigned Count = currentBuilderContext->getCurrentBlockCount();
49 RightV = svalBuilder.getConjuredSymbolVal(NULL, B->getRHS(), LCtx, Count);
51 // Simulate the effects of a "store": bind the value of the RHS
52 // to the L-Value represented by the LHS.
53 SVal ExprVal = B->isLValue() ? LeftV : RightV;
54 evalStore(Tmp2, B, LHS, *it, state->BindExpr(B, LCtx, ExprVal),
59 if (!B->isAssignmentOp()) {
60 StmtNodeBuilder Bldr(*it, Tmp2, *currentBuilderContext);
61 // Process non-assignments except commas or short-circuited
62 // logical expressions (LAnd and LOr).
63 SVal Result = evalBinOp(state, Op, LeftV, RightV, B->getType());
64 if (Result.isUnknown()) {
65 Bldr.generateNode(B, *it, state);
69 state = state->BindExpr(B, LCtx, Result);
70 Bldr.generateNode(B, *it, state);
74 assert (B->isCompoundAssignmentOp());
78 llvm_unreachable("Invalid opcode for compound assignment.");
79 case BO_MulAssign: Op = BO_Mul; break;
80 case BO_DivAssign: Op = BO_Div; break;
81 case BO_RemAssign: Op = BO_Rem; break;
82 case BO_AddAssign: Op = BO_Add; break;
83 case BO_SubAssign: Op = BO_Sub; break;
84 case BO_ShlAssign: Op = BO_Shl; break;
85 case BO_ShrAssign: Op = BO_Shr; break;
86 case BO_AndAssign: Op = BO_And; break;
87 case BO_XorAssign: Op = BO_Xor; break;
88 case BO_OrAssign: Op = BO_Or; break;
91 // Perform a load (the LHS). This performs the checks for
92 // null dereferences, and so on.
94 SVal location = LeftV;
95 evalLoad(Tmp, B, LHS, *it, state, location);
97 for (ExplodedNodeSet::iterator I = Tmp.begin(), E = Tmp.end(); I != E;
100 state = (*I)->getState();
101 const LocationContext *LCtx = (*I)->getLocationContext();
102 SVal V = state->getSVal(LHS, LCtx);
104 // Get the computation type.
106 cast<CompoundAssignOperator>(B)->getComputationResultType();
107 CTy = getContext().getCanonicalType(CTy);
110 cast<CompoundAssignOperator>(B)->getComputationLHSType();
111 CLHSTy = getContext().getCanonicalType(CLHSTy);
113 QualType LTy = getContext().getCanonicalType(LHS->getType());
116 V = svalBuilder.evalCast(V, CLHSTy, LTy);
118 // Compute the result of the operation.
119 SVal Result = svalBuilder.evalCast(evalBinOp(state, Op, V, RightV, CTy),
122 // EXPERIMENTAL: "Conjured" symbols.
123 // FIXME: Handle structs.
127 if (Result.isUnknown()) {
129 unsigned Count = currentBuilderContext->getCurrentBlockCount();
131 // The symbolic value is actually for the type of the left-hand side
132 // expression, not the computation type, as this is the value the
133 // LValue on the LHS will bind to.
134 LHSVal = svalBuilder.getConjuredSymbolVal(NULL, B->getRHS(), LCtx,
137 // However, we need to convert the symbol to the computation type.
138 Result = svalBuilder.evalCast(LHSVal, CTy, LTy);
141 // The left-hand side may bind to a different value then the
143 LHSVal = svalBuilder.evalCast(Result, LTy, CTy);
146 // In C++, assignment and compound assignment operators return an
149 state = state->BindExpr(B, LCtx, location);
151 state = state->BindExpr(B, LCtx, Result);
153 evalStore(Tmp2, B, LHS, *I, state, location, LHSVal);
157 // FIXME: postvisits eventually go in ::Visit()
158 getCheckerManager().runCheckersForPostStmt(Dst, Tmp2, B, *this);
161 void ExprEngine::VisitBlockExpr(const BlockExpr *BE, ExplodedNode *Pred,
162 ExplodedNodeSet &Dst) {
164 CanQualType T = getContext().getCanonicalType(BE->getType());
165 SVal V = svalBuilder.getBlockPointer(BE->getBlockDecl(), T,
166 Pred->getLocationContext());
169 StmtNodeBuilder Bldr(Pred, Tmp, *currentBuilderContext);
170 Bldr.generateNode(BE, Pred,
171 Pred->getState()->BindExpr(BE, Pred->getLocationContext(),
174 ProgramPoint::PostLValueKind);
176 // FIXME: Move all post/pre visits to ::Visit().
177 getCheckerManager().runCheckersForPostStmt(Dst, Tmp, BE, *this);
180 void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex,
181 ExplodedNode *Pred, ExplodedNodeSet &Dst) {
183 ExplodedNodeSet dstPreStmt;
184 getCheckerManager().runCheckersForPreStmt(dstPreStmt, Pred, CastE, *this);
186 if (CastE->getCastKind() == CK_LValueToRValue) {
187 for (ExplodedNodeSet::iterator I = dstPreStmt.begin(), E = dstPreStmt.end();
189 ExplodedNode *subExprNode = *I;
190 ProgramStateRef state = subExprNode->getState();
191 const LocationContext *LCtx = subExprNode->getLocationContext();
192 evalLoad(Dst, CastE, CastE, subExprNode, state, state->getSVal(Ex, LCtx));
198 QualType T = CastE->getType();
199 QualType ExTy = Ex->getType();
201 if (const ExplicitCastExpr *ExCast=dyn_cast_or_null<ExplicitCastExpr>(CastE))
202 T = ExCast->getTypeAsWritten();
204 StmtNodeBuilder Bldr(dstPreStmt, Dst, *currentBuilderContext);
205 for (ExplodedNodeSet::iterator I = dstPreStmt.begin(), E = dstPreStmt.end();
210 switch (CastE->getCastKind()) {
211 case CK_LValueToRValue:
212 llvm_unreachable("LValueToRValue casts handled earlier.");
215 // The analyzer doesn't do anything special with these casts,
216 // since it understands retain/release semantics already.
217 case CK_ARCProduceObject:
218 case CK_ARCConsumeObject:
219 case CK_ARCReclaimReturnedObject:
220 case CK_ARCExtendBlockObject: // Fall-through.
221 case CK_CopyAndAutoreleaseBlockObject:
222 // The analyser can ignore atomic casts for now, although some future
223 // checkers may want to make certain that you're not modifying the same
224 // value through atomic and nonatomic pointers.
225 case CK_AtomicToNonAtomic:
226 case CK_NonAtomicToAtomic:
229 case CK_FunctionToPointerDecay: {
230 // Copy the SVal of Ex to CastE.
231 ProgramStateRef state = Pred->getState();
232 const LocationContext *LCtx = Pred->getLocationContext();
233 SVal V = state->getSVal(Ex, LCtx);
234 state = state->BindExpr(CastE, LCtx, V);
235 Bldr.generateNode(CastE, Pred, state);
239 case CK_ArrayToPointerDecay:
241 case CK_LValueBitCast:
242 case CK_IntegralCast:
243 case CK_NullToPointer:
244 case CK_IntegralToPointer:
245 case CK_PointerToIntegral:
246 case CK_PointerToBoolean:
247 case CK_IntegralToBoolean:
248 case CK_IntegralToFloating:
249 case CK_FloatingToIntegral:
250 case CK_FloatingToBoolean:
251 case CK_FloatingCast:
252 case CK_FloatingRealToComplex:
253 case CK_FloatingComplexToReal:
254 case CK_FloatingComplexToBoolean:
255 case CK_FloatingComplexCast:
256 case CK_FloatingComplexToIntegralComplex:
257 case CK_IntegralRealToComplex:
258 case CK_IntegralComplexToReal:
259 case CK_IntegralComplexToBoolean:
260 case CK_IntegralComplexCast:
261 case CK_IntegralComplexToFloatingComplex:
262 case CK_CPointerToObjCPointerCast:
263 case CK_BlockPointerToObjCPointerCast:
264 case CK_AnyPointerToBlockPointerCast:
265 case CK_ObjCObjectLValueCast: {
266 // Delegate to SValBuilder to process.
267 ProgramStateRef state = Pred->getState();
268 const LocationContext *LCtx = Pred->getLocationContext();
269 SVal V = state->getSVal(Ex, LCtx);
270 V = svalBuilder.evalCast(V, T, ExTy);
271 state = state->BindExpr(CastE, LCtx, V);
272 Bldr.generateNode(CastE, Pred, state);
275 case CK_DerivedToBase:
276 case CK_UncheckedDerivedToBase: {
277 // For DerivedToBase cast, delegate to the store manager.
278 ProgramStateRef state = Pred->getState();
279 const LocationContext *LCtx = Pred->getLocationContext();
280 SVal val = state->getSVal(Ex, LCtx);
281 val = getStoreManager().evalDerivedToBase(val, T);
282 state = state->BindExpr(CastE, LCtx, val);
283 Bldr.generateNode(CastE, Pred, state);
286 // Handle C++ dyn_cast.
288 ProgramStateRef state = Pred->getState();
289 const LocationContext *LCtx = Pred->getLocationContext();
290 SVal val = state->getSVal(Ex, LCtx);
292 // Compute the type of the result.
293 QualType resultType = CastE->getType();
294 if (CastE->isLValue())
295 resultType = getContext().getPointerType(resultType);
299 // Check if the value being cast evaluates to 0.
300 if (val.isZeroConstant())
302 // Else, evaluate the cast.
304 val = getStoreManager().evalDynamicCast(val, T, Failed);
307 if (T->isReferenceType()) {
308 // A bad_cast exception is thrown if input value is a reference.
309 // Currently, we model this, by generating a sink.
310 Bldr.generateNode(CastE, Pred, state, true);
313 // If the cast fails on a pointer, bind to 0.
314 state = state->BindExpr(CastE, LCtx, svalBuilder.makeNull());
317 // If we don't know if the cast succeeded, conjure a new symbol.
318 if (val.isUnknown()) {
319 DefinedOrUnknownSVal NewSym = svalBuilder.getConjuredSymbolVal(NULL,
320 CastE, LCtx, resultType,
321 currentBuilderContext->getCurrentBlockCount());
322 state = state->BindExpr(CastE, LCtx, NewSym);
324 // Else, bind to the derived region value.
325 state = state->BindExpr(CastE, LCtx, val);
327 Bldr.generateNode(CastE, Pred, state);
330 // Various C++ casts that are not handled yet.
332 case CK_BaseToDerived:
333 case CK_NullToMemberPointer:
334 case CK_BaseToDerivedMemberPointer:
335 case CK_DerivedToBaseMemberPointer:
336 case CK_ReinterpretMemberPointer:
337 case CK_UserDefinedConversion:
338 case CK_ConstructorConversion:
340 case CK_MemberPointerToBoolean: {
341 // Recover some path-sensitivty by conjuring a new value.
342 QualType resultType = CastE->getType();
343 if (CastE->isLValue())
344 resultType = getContext().getPointerType(resultType);
345 const LocationContext *LCtx = Pred->getLocationContext();
346 SVal result = svalBuilder.getConjuredSymbolVal(NULL, CastE, LCtx,
347 resultType, currentBuilderContext->getCurrentBlockCount());
348 ProgramStateRef state = Pred->getState()->BindExpr(CastE, LCtx,
350 Bldr.generateNode(CastE, Pred, state);
357 void ExprEngine::VisitCompoundLiteralExpr(const CompoundLiteralExpr *CL,
359 ExplodedNodeSet &Dst) {
360 StmtNodeBuilder B(Pred, Dst, *currentBuilderContext);
362 const InitListExpr *ILE
363 = cast<InitListExpr>(CL->getInitializer()->IgnoreParens());
365 ProgramStateRef state = Pred->getState();
366 SVal ILV = state->getSVal(ILE, Pred->getLocationContext());
367 const LocationContext *LC = Pred->getLocationContext();
368 state = state->bindCompoundLiteral(CL, LC, ILV);
371 B.generateNode(CL, Pred, state->BindExpr(CL, LC, state->getLValue(CL, LC)));
373 B.generateNode(CL, Pred, state->BindExpr(CL, LC, ILV));
376 void ExprEngine::VisitDeclStmt(const DeclStmt *DS, ExplodedNode *Pred,
377 ExplodedNodeSet &Dst) {
379 // FIXME: static variables may have an initializer, but the second
380 // time a function is called those values may not be current.
381 // This may need to be reflected in the CFG.
383 // Assumption: The CFG has one DeclStmt per Decl.
384 const Decl *D = *DS->decl_begin();
386 if (!D || !isa<VarDecl>(D)) {
387 //TODO:AZ: remove explicit insertion after refactoring is done.
392 // FIXME: all pre/post visits should eventually be handled by ::Visit().
393 ExplodedNodeSet dstPreVisit;
394 getCheckerManager().runCheckersForPreStmt(dstPreVisit, Pred, DS, *this);
396 StmtNodeBuilder B(dstPreVisit, Dst, *currentBuilderContext);
397 const VarDecl *VD = dyn_cast<VarDecl>(D);
398 for (ExplodedNodeSet::iterator I = dstPreVisit.begin(), E = dstPreVisit.end();
400 ExplodedNode *N = *I;
401 ProgramStateRef state = N->getState();
403 // Decls without InitExpr are not initialized explicitly.
404 const LocationContext *LC = N->getLocationContext();
406 if (const Expr *InitEx = VD->getInit()) {
407 SVal InitVal = state->getSVal(InitEx, Pred->getLocationContext());
409 // We bound the temp obj region to the CXXConstructExpr. Now recover
410 // the lazy compound value when the variable is not a reference.
411 if (AMgr.getLangOpts().CPlusPlus && VD->getType()->isRecordType() &&
412 !VD->getType()->isReferenceType() && isa<loc::MemRegionVal>(InitVal)){
413 InitVal = state->getSVal(cast<loc::MemRegionVal>(InitVal).getRegion());
414 assert(isa<nonloc::LazyCompoundVal>(InitVal));
417 // Recover some path-sensitivity if a scalar value evaluated to
419 if (InitVal.isUnknown()) {
420 QualType Ty = InitEx->getType();
421 if (InitEx->isLValue()) {
422 Ty = getContext().getPointerType(Ty);
425 InitVal = svalBuilder.getConjuredSymbolVal(NULL, InitEx, LC, Ty,
426 currentBuilderContext->getCurrentBlockCount());
429 ExplodedNodeSet Dst2;
430 evalBind(Dst2, DS, N, state->getLValue(VD, LC), InitVal, true);
434 B.generateNode(DS, N,state->bindDeclWithNoInit(state->getRegion(VD, LC)));
439 void ExprEngine::VisitLogicalExpr(const BinaryOperator* B, ExplodedNode *Pred,
440 ExplodedNodeSet &Dst) {
441 assert(B->getOpcode() == BO_LAnd ||
442 B->getOpcode() == BO_LOr);
444 StmtNodeBuilder Bldr(Pred, Dst, *currentBuilderContext);
445 ProgramStateRef state = Pred->getState();
446 const LocationContext *LCtx = Pred->getLocationContext();
447 SVal X = state->getSVal(B, LCtx);
450 const Expr *Ex = (const Expr*) cast<UndefinedVal>(X).getData();
453 if (Ex == B->getRHS()) {
454 X = state->getSVal(Ex, LCtx);
456 // Handle undefined values.
458 Bldr.generateNode(B, Pred, state->BindExpr(B, LCtx, X));
462 DefinedOrUnknownSVal XD = cast<DefinedOrUnknownSVal>(X);
464 // We took the RHS. Because the value of the '&&' or '||' expression must
465 // evaluate to 0 or 1, we must assume the value of the RHS evaluates to 0
466 // or 1. Alternatively, we could take a lazy approach, and calculate this
467 // value later when necessary. We don't have the machinery in place for
468 // this right now, and since most logical expressions are used for branches,
469 // the payoff is not likely to be large. Instead, we do eager evaluation.
470 if (ProgramStateRef newState = state->assume(XD, true))
471 Bldr.generateNode(B, Pred,
472 newState->BindExpr(B, LCtx,
473 svalBuilder.makeIntVal(1U, B->getType())));
475 if (ProgramStateRef newState = state->assume(XD, false))
476 Bldr.generateNode(B, Pred,
477 newState->BindExpr(B, LCtx,
478 svalBuilder.makeIntVal(0U, B->getType())));
481 // We took the LHS expression. Depending on whether we are '&&' or
482 // '||' we know what the value of the expression is via properties of
483 // the short-circuiting.
484 X = svalBuilder.makeIntVal(B->getOpcode() == BO_LAnd ? 0U : 1U,
486 Bldr.generateNode(B, Pred, state->BindExpr(B, LCtx, X));
490 void ExprEngine::VisitInitListExpr(const InitListExpr *IE,
492 ExplodedNodeSet &Dst) {
493 StmtNodeBuilder B(Pred, Dst, *currentBuilderContext);
495 ProgramStateRef state = Pred->getState();
496 const LocationContext *LCtx = Pred->getLocationContext();
497 QualType T = getContext().getCanonicalType(IE->getType());
498 unsigned NumInitElements = IE->getNumInits();
500 if (T->isArrayType() || T->isRecordType() || T->isVectorType()) {
501 llvm::ImmutableList<SVal> vals = getBasicVals().getEmptySValList();
503 // Handle base case where the initializer has no elements.
504 // e.g: static int* myArray[] = {};
505 if (NumInitElements == 0) {
506 SVal V = svalBuilder.makeCompoundVal(T, vals);
507 B.generateNode(IE, Pred, state->BindExpr(IE, LCtx, V));
511 for (InitListExpr::const_reverse_iterator it = IE->rbegin(),
512 ei = IE->rend(); it != ei; ++it) {
513 vals = getBasicVals().consVals(state->getSVal(cast<Expr>(*it), LCtx),
517 B.generateNode(IE, Pred,
518 state->BindExpr(IE, LCtx,
519 svalBuilder.makeCompoundVal(T, vals)));
523 if (Loc::isLocType(T) || T->isIntegerType()) {
524 assert(IE->getNumInits() == 1);
525 const Expr *initEx = IE->getInit(0);
526 B.generateNode(IE, Pred, state->BindExpr(IE, LCtx,
527 state->getSVal(initEx, LCtx)));
531 llvm_unreachable("unprocessed InitListExpr type");
534 void ExprEngine::VisitGuardedExpr(const Expr *Ex,
538 ExplodedNodeSet &Dst) {
539 StmtNodeBuilder B(Pred, Dst, *currentBuilderContext);
541 ProgramStateRef state = Pred->getState();
542 const LocationContext *LCtx = Pred->getLocationContext();
543 SVal X = state->getSVal(Ex, LCtx);
544 assert (X.isUndef());
545 const Expr *SE = (Expr*) cast<UndefinedVal>(X).getData();
547 X = state->getSVal(SE, LCtx);
549 // Make sure that we invalidate the previous binding.
550 B.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, X, true));
554 VisitOffsetOfExpr(const OffsetOfExpr *OOE,
555 ExplodedNode *Pred, ExplodedNodeSet &Dst) {
556 StmtNodeBuilder B(Pred, Dst, *currentBuilderContext);
558 if (OOE->EvaluateAsInt(IV, getContext())) {
559 assert(IV.getBitWidth() == getContext().getTypeSize(OOE->getType()));
560 assert(OOE->getType()->isIntegerType());
561 assert(IV.isSigned() == OOE->getType()->isSignedIntegerOrEnumerationType());
562 SVal X = svalBuilder.makeIntVal(IV);
563 B.generateNode(OOE, Pred,
564 Pred->getState()->BindExpr(OOE, Pred->getLocationContext(),
567 // FIXME: Handle the case where __builtin_offsetof is not a constant.
572 VisitUnaryExprOrTypeTraitExpr(const UnaryExprOrTypeTraitExpr *Ex,
574 ExplodedNodeSet &Dst) {
575 StmtNodeBuilder Bldr(Pred, Dst, *currentBuilderContext);
577 QualType T = Ex->getTypeOfArgument();
579 if (Ex->getKind() == UETT_SizeOf) {
580 if (!T->isIncompleteType() && !T->isConstantSizeType()) {
581 assert(T->isVariableArrayType() && "Unknown non-constant-sized type.");
583 // FIXME: Add support for VLA type arguments and VLA expressions.
584 // When that happens, we should probably refactor VLASizeChecker's code.
587 else if (T->getAs<ObjCObjectType>()) {
588 // Some code tries to take the sizeof an ObjCObjectType, relying that
589 // the compiler has laid out its representation. Just report Unknown
595 APSInt Value = Ex->EvaluateKnownConstInt(getContext());
596 CharUnits amt = CharUnits::fromQuantity(Value.getZExtValue());
598 ProgramStateRef state = Pred->getState();
599 state = state->BindExpr(Ex, Pred->getLocationContext(),
600 svalBuilder.makeIntVal(amt.getQuantity(),
602 Bldr.generateNode(Ex, Pred, state);
605 void ExprEngine::VisitUnaryOperator(const UnaryOperator* U,
607 ExplodedNodeSet &Dst) {
608 StmtNodeBuilder Bldr(Pred, Dst, *currentBuilderContext);
609 switch (U->getOpcode()) {
611 Bldr.takeNodes(Pred);
613 VisitIncrementDecrementOperator(U, Pred, Tmp);
618 const Expr *Ex = U->getSubExpr()->IgnoreParens();
620 // FIXME: We don't have complex SValues yet.
621 if (Ex->getType()->isAnyComplexType()) {
622 // Just report "Unknown."
626 // For all other types, UO_Real is an identity operation.
627 assert (U->getType() == Ex->getType());
628 ProgramStateRef state = Pred->getState();
629 const LocationContext *LCtx = Pred->getLocationContext();
630 Bldr.generateNode(U, Pred, state->BindExpr(U, LCtx,
631 state->getSVal(Ex, LCtx)));
636 const Expr *Ex = U->getSubExpr()->IgnoreParens();
637 // FIXME: We don't have complex SValues yet.
638 if (Ex->getType()->isAnyComplexType()) {
639 // Just report "Unknown."
642 // For all other types, UO_Imag returns 0.
643 ProgramStateRef state = Pred->getState();
644 const LocationContext *LCtx = Pred->getLocationContext();
645 SVal X = svalBuilder.makeZeroVal(Ex->getType());
646 Bldr.generateNode(U, Pred, state->BindExpr(U, LCtx, X));
651 assert(!U->isLValue());
656 // FIXME: We can probably just have some magic in Environment::getSVal()
657 // that propagates values, instead of creating a new node here.
659 // Unary "+" is a no-op, similar to a parentheses. We still have places
660 // where it may be a block-level expression, so we need to
661 // generate an extra node that just propagates the value of the
663 const Expr *Ex = U->getSubExpr()->IgnoreParens();
664 ProgramStateRef state = Pred->getState();
665 const LocationContext *LCtx = Pred->getLocationContext();
666 Bldr.generateNode(U, Pred, state->BindExpr(U, LCtx,
667 state->getSVal(Ex, LCtx)));
674 assert (!U->isLValue());
675 const Expr *Ex = U->getSubExpr()->IgnoreParens();
676 ProgramStateRef state = Pred->getState();
677 const LocationContext *LCtx = Pred->getLocationContext();
679 // Get the value of the subexpression.
680 SVal V = state->getSVal(Ex, LCtx);
682 if (V.isUnknownOrUndef()) {
683 Bldr.generateNode(U, Pred, state->BindExpr(U, LCtx, V));
687 switch (U->getOpcode()) {
689 llvm_unreachable("Invalid Opcode.");
691 // FIXME: Do we need to handle promotions?
692 state = state->BindExpr(U, LCtx, evalComplement(cast<NonLoc>(V)));
695 // FIXME: Do we need to handle promotions?
696 state = state->BindExpr(U, LCtx, evalMinus(cast<NonLoc>(V)));
699 // C99 6.5.3.3: "The expression !E is equivalent to (0==E)."
701 // Note: technically we do "E == 0", but this is the same in the
702 // transfer functions as "0 == E".
705 Loc X = svalBuilder.makeNull();
706 Result = evalBinOp(state, BO_EQ, cast<Loc>(V), X,
710 nonloc::ConcreteInt X(getBasicVals().getValue(0, Ex->getType()));
711 Result = evalBinOp(state, BO_EQ, cast<NonLoc>(V), X,
715 state = state->BindExpr(U, LCtx, Result);
718 Bldr.generateNode(U, Pred, state);
725 void ExprEngine::VisitIncrementDecrementOperator(const UnaryOperator* U,
727 ExplodedNodeSet &Dst) {
728 // Handle ++ and -- (both pre- and post-increment).
729 assert (U->isIncrementDecrementOp());
730 const Expr *Ex = U->getSubExpr()->IgnoreParens();
732 const LocationContext *LCtx = Pred->getLocationContext();
733 ProgramStateRef state = Pred->getState();
734 SVal loc = state->getSVal(Ex, LCtx);
738 evalLoad(Tmp, U, Ex, Pred, state, loc);
740 ExplodedNodeSet Dst2;
741 StmtNodeBuilder Bldr(Tmp, Dst2, *currentBuilderContext);
742 for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end();I!=E;++I) {
744 state = (*I)->getState();
745 assert(LCtx == (*I)->getLocationContext());
746 SVal V2_untested = state->getSVal(Ex, LCtx);
748 // Propagate unknown and undefined values.
749 if (V2_untested.isUnknownOrUndef()) {
750 Bldr.generateNode(U, *I, state->BindExpr(U, LCtx, V2_untested));
753 DefinedSVal V2 = cast<DefinedSVal>(V2_untested);
755 // Handle all other values.
756 BinaryOperator::Opcode Op = U->isIncrementOp() ? BO_Add : BO_Sub;
758 // If the UnaryOperator has non-location type, use its type to create the
759 // constant value. If the UnaryOperator has location type, create the
760 // constant with int type and pointer width.
763 if (U->getType()->isAnyPointerType())
764 RHS = svalBuilder.makeArrayIndex(1);
766 RHS = svalBuilder.makeIntVal(1, U->getType());
768 SVal Result = evalBinOp(state, Op, V2, RHS, U->getType());
770 // Conjure a new symbol if necessary to recover precision.
771 if (Result.isUnknown()){
772 DefinedOrUnknownSVal SymVal =
773 svalBuilder.getConjuredSymbolVal(NULL, Ex, LCtx,
774 currentBuilderContext->getCurrentBlockCount());
777 // If the value is a location, ++/-- should always preserve
778 // non-nullness. Check if the original value was non-null, and if so
779 // propagate that constraint.
780 if (Loc::isLocType(U->getType())) {
781 DefinedOrUnknownSVal Constraint =
782 svalBuilder.evalEQ(state, V2,svalBuilder.makeZeroVal(U->getType()));
784 if (!state->assume(Constraint, true)) {
785 // It isn't feasible for the original value to be null.
786 // Propagate this constraint.
787 Constraint = svalBuilder.evalEQ(state, SymVal,
788 svalBuilder.makeZeroVal(U->getType()));
791 state = state->assume(Constraint, false);
797 // Since the lvalue-to-rvalue conversion is explicit in the AST,
798 // we bind an l-value if the operator is prefix and an lvalue (in C++).
800 state = state->BindExpr(U, LCtx, loc);
802 state = state->BindExpr(U, LCtx, U->isPostfix() ? V2 : Result);
804 // Perform the store.
806 ExplodedNodeSet Dst3;
807 evalStore(Dst3, U, U, *I, state, loc, Result);
projects / FreeBSD / stable / 9.git / blob