ArrayBoundCheckerV2.cpp - OpenGrok cross reference for /freebsd-src/contrib/llvm-project/clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp

Lines Matching +full:non +full:- +full:descriptive
1 //== ArrayBoundCheckerV2.cpp ------------------------------------*- C++ -*--==//
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
7 //===----------------------------------------------------------------------===//
9 // This file defines ArrayBoundCheckerV2, which is a path-sensitive check
10 // which looks for an out-of-bound array element access.
12 //===----------------------------------------------------------------------===//
47   const MemRegion *SubscriptBaseReg = C.getSVal(ASE->getBase()).getAsRegion();
53   if (isa<ElementRegion>(SubscriptBaseReg->StripCasts()))
56   return ASE->getType();
105   /// sub-expressions of each other (but `getSimplifiedOffsets` is smart enough
129   BugType BT{this, "Out-of-bound access"};
130   BugType TaintBT{this, "Out-of-bound access", categories::TaintedData};
154     if (E->getOpcode() == UO_Deref)
158     if (E->isArrow())
159       performCheck(E->getBase(), C);
185     const auto Index = CurRegion->getIndex().getAs<NonLoc>();
189     QualType ElemType = CurRegion->getElementType();
194     if (ElemType->isIncompleteType())
209     OwnerRegion = CurRegion->getSuperRegion()->getAs<SubRegion>();
238 // turn it into "X < -1", which is still always false in a mathematical sense,
240 // the rules of C++ and casts -1 to SIZE_MAX).
245   if (SymVal && SymVal->isExpression()) {
246     if (const SymIntExpr *SIE = dyn_cast<SymIntExpr>(SymVal->getSymbol())) {
248           APSIntType(extent.getValue()).convert(SIE->getRHS());
249       switch (SIE->getOpcode()) {
257               nonloc::SymbolVal(SIE->getLHS()),
262             nonloc::SymbolVal(SIE->getLHS()),
263             svalBuilder.makeIntVal(extent.getValue() - constant), svalBuilder);
275   return MaxV && MaxV->isNegative();
280   return T->isUnsignedIntegerType();
299   // perform automatic conversions. For example the number -1 is less than the
300   // number 1000, but -1 < `1000ull` will evaluate to `false` because the `int`
301   // -1 is converted to ULONGLONG_MAX.
317   // FIXME: These special cases are sufficient for handling real-world
334     return State->assume(*BelowThreshold);
340   if (std::string RegName = Region->getDescriptiveName(); !RegName.empty())
343   // Field regions only have descriptive names when their parent has a
344   // descriptive name; so we provide a fallback representation for them:
345   if (const auto *FR = Region->getAs<FieldRegion>()) {
346     if (StringRef Name = FR->getDecl()->getName(); !Name.empty())
355       isa<HeapSpaceRegion>(Region->getMemorySpace()))
366     return ConcreteVal->getValue().tryExtValue();
410   const auto *EReg = Location.getAsRegion()->getAs<ElementRegion>();
412   QualType ElemType = EReg->getElementType();
471   return C.getNoteTag([*this](PathSensitiveBugReport &BR) -> std::string {
514     Out << " non-negative";
523       Out << "the number of '" << ElementType->getAsString()
536   for (SymbolRef PartSym : Sym->symbols()) {
577   const MemSpaceRegion *Space = Reg->getMemorySpace();
584     // non-symbolic regions (e.g. a field subregion of a symbolic region) in
604     // evalBinOpNN fails to evaluate the less-than operator.
614     // checker will first assume that the offset is non-negative, and then
627         // expression that calculates the past-the-end pointer.
649           if (isTainted(State, ASE->getIdx(), C.getLocationContext()))
664     // evalBinOpNN fails to evaluate the less-than operator.
682     for (SymbolRef PartSym : Sym->symbols())
690     // `Sym->symbols()` (because they're only loosely connected to `Val`).
713   // - Interestingness is not applied consistently, e.g. if `array[x+10]`
715   // - We get irrelevant diagnostic pieces, e.g. in the code
729   SourceLocation Loc = S->getBeginLoc();
756   return UnaryOp && UnaryOp->getOpcode() == UO_AddrOf;