Lines Matching full:state
117 void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const;
121 checkRegionChanges(ProgramStateRef state,
206 ProgramStateRef state, SizeArgExpr Size,
252 ProgramStateRef state, SVal V, QualType Ty);
254 static ProgramStateRef setCStringLength(ProgramStateRef state,
258 ProgramStateRef &state,
263 ProgramStateRef &state,
269 ProgramStateRef &state,
297 CheckerContext &C, ProgramStateRef State, const Expr *Ex, SVal V,
307 ProgramStateRef &State);
310 ProgramStateRef checkNonNull(CheckerContext &C, ProgramStateRef State,
314 ProgramStateRef checkInit(CheckerContext &C, ProgramStateRef state,
316 ProgramStateRef CheckLocation(CheckerContext &C, ProgramStateRef state,
320 ProgramStateRef CheckBufferAccess(CheckerContext &C, ProgramStateRef State,
324 ProgramStateRef CheckOverlap(CheckerContext &C, ProgramStateRef state,
329 ProgramStateRef state,
333 void emitNullArgBug(CheckerContext &C, ProgramStateRef State, const Stmt *S,
335 void emitOutOfBoundsBug(CheckerContext &C, ProgramStateRef State,
337 void emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
339 void emitAdditionOverflowBug(CheckerContext &C, ProgramStateRef State) const;
340 void emitUninitializedReadBug(CheckerContext &C, ProgramStateRef State,
344 ProgramStateRef state,
351 static bool isFirstBufInBound(CheckerContext &C, ProgramStateRef State,
365 CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef State, SVal V,
369 return std::pair<ProgramStateRef, ProgramStateRef>(State, State);
373 return State->assume(svalBuilder.evalEQ(State, *val, zero));
377 ProgramStateRef State,
380 if (!State)
385 assumeZero(C, State, l, Arg.Expression->getType());
406 static std::optional<NonLoc> getIndex(ProgramStateRef State,
408 SValBuilder &SVB = State->getStateManager().getSValBuilder();
426 SVB.evalBinOpNN(State, BO_Mul, ER->getIndex(), WideSize, SizeTy);
438 ProgramStateRef State,
443 if (!State)
449 return State;
453 return State;
458 return State;
467 State->getLValue(ElemTy, Zero, loc::MemRegionVal(SuperR)).getAs<Loc>();
469 return State;
473 State->getSVal(*FirstElementVal).isUndef()) {
479 emitUninitializedReadBug(C, State, Buffer.Expression,
512 SVB.evalBinOpNN(State, clang::BO_Div, Size.castAs<NonLoc>(), ElemSize,
518 SVal LastIdx = SVB.evalBinOpNN(State, BO_Sub, *Offset, One, IdxTy);
521 return State;
524 State->getLValue(ElemTy, LastIdx, loc::MemRegionVal(SuperR));
526 return State;
529 State->getSVal(LastElementVal.castAs<Loc>()).isUndef()) {
544 emitUninitializedReadBug(C, State, Buffer.Expression,
548 return State;
553 ProgramStateRef state,
559 if (!state)
565 return state;
569 return state;
572 std::optional<NonLoc> Idx = getIndex(state, ER, CK);
574 return state;
579 getDynamicExtent(state, superReg, C.getSValBuilder());
581 auto [StInBound, StOutBound] = state->assumeInBoundDual(*Idx, Size);
602 CStringChecker::CheckBufferAccess(CheckerContext &C, ProgramStateRef State,
606 if (!State)
617 State = checkNonNull(C, State, Buffer, BufVal);
618 if (!State)
623 return State;
629 State = CheckLocation(C, State, Buffer, BufStart, Access, CK);
631 if (!State)
640 return State;
644 SVal Offset = svalBuilder.evalBinOpNN(State, BO_Sub, *Length, One, SizeTy);
653 svalBuilder.evalBinOpLN(State, BO_Add, *BufLoc, LastOffset, PtrTy);
654 State = CheckLocation(C, State, Buffer, BufEnd, Access, CK);
656 State = checkInit(C, State, Buffer, BufEnd, *Length);
659 if (!State)
663 // Large enough or not, return this state!
664 return State;
668 ProgramStateRef state,
673 return state;
680 if (!state)
688 return state;
692 SVal firstVal = state->getSVal(First.Expression, LCtx);
693 SVal secondVal = state->getSVal(Second.Expression, LCtx);
697 return state;
701 return state;
706 state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc));
716 state = stateFalse;
721 svalBuilder.evalBinOpLL(state, BO_GT, *firstLoc, *secondLoc, cmpTy);
725 return state;
727 std::tie(stateTrue, stateFalse) = state->assume(*reverseTest);
731 return state;
742 SVal LengthVal = state->getSVal(Size.Expression, LCtx);
745 return state;
755 return state;
758 SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add, *FirstStartLoc,
762 return state;
766 svalBuilder.evalBinOpLL(state, BO_GT, *FirstEndLoc, *secondLoc, cmpTy);
770 return state;
772 std::tie(stateTrue, stateFalse) = state->assume(*OverlapTest);
785 void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state,
787 ExplodedNode *N = C.generateErrorNode(state);
804 void CStringChecker::emitNullArgBug(CheckerContext &C, ProgramStateRef State,
806 if (ExplodedNode *N = C.generateErrorNode(State)) {
824 ProgramStateRef State,
827 if (ExplodedNode *N = C.generateErrorNode(State)) {
844 ProgramStateRef State, const Stmt *S,
846 if (ExplodedNode *N = C.generateErrorNode(State)) {
863 void CStringChecker::emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
866 if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
883 ProgramStateRef State) const {
884 if (ExplodedNode *N = C.generateErrorNode(State)) {
907 ProgramStateRef state,
912 return state;
915 if (!state)
927 maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right,
932 maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left,
940 SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left,
945 state->assume(willOverflow.castAs<DefinedOrUnknownSVal>());
955 state = stateOkay;
958 return state;
961 ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state,
972 return state;
986 return state;
993 return state;
997 return state->remove<CStringLength>(MR);
999 return state->set<CStringLength>(MR, strLength);
1003 ProgramStateRef &state,
1009 const SVal *Recorded = state->get<CStringLength>(MR);
1014 // Otherwise, get a new symbol and update the state.
1031 SVal evalLength = svalBuilder.evalBinOpNN(state, BO_LE, *strLn, maxLength,
1033 state = state->assume(evalLength.castAs<DefinedOrUnknownSVal>(), true);
1035 state = state->set<CStringLength>(MR, strLength);
1041 SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state,
1058 emitNotCStringBug(C, state, Ex, os.str());
1100 return getCStringLengthForRegion(C, state, Ex, MR, hypothetical);
1124 emitNotCStringBug(C, state, Ex, os.str());
1131 ProgramStateRef &state, const Expr *expr, SVal val) const {
1150 bool CStringChecker::isFirstBufInBound(CheckerContext &C, ProgramStateRef State,
1155 // invalidated, which would lead to warnings based on an unknown state.
1172 SVal Offset = SB.evalBinOpNN(State, BO_Sub, *Length, One, LengthTy);
1183 SVal BufEnd = SB.evalBinOpLN(State, BO_Add, *BufLoc, LastOffset, PtrTy);
1201 DefinedOrUnknownSVal SizeDV = getDynamicExtent(State, superReg, SB);
1206 ProgramStateRef StInBound = State->assumeInBound(Idx, SizeDV, true);
1274 CheckerContext &C, ProgramStateRef State, const Expr *E, SVal V,
1280 return State;
1300 return State->invalidateRegions(R, E, C.blockCount(), LCtx,
1308 return State->killBinding(*L);
1352 ProgramStateRef &State) {
1378 DefinedOrUnknownSVal SizeDV = getDynamicExtent(State, BR, svalBuilder);
1382 State->assume(svalBuilder.evalEQ(State, SizeDV, *SizeNL));
1390 assumeZero(C, State, CharVal, Ctx.UnsignedCharTy);
1400 State = State->bindDefaultZero(svalBuilder.makeLoc(BR),
1405 State = invalidateDestinationBufferBySize(C, State, DstBuffer, MemVal,
1412 State = setCStringLength(State, MR,
1422 State, BO_GE, NewStrLen, SizeVal, svalBuilder.getConditionType());
1424 State = setCStringLength(
1425 State->assume(NewStrLenGESize.castAs<DefinedOrUnknownSVal>(), true),
1431 State = invalidateDestinationBufferBySize(C, State, DstBuffer, MemVal,
1442 ProgramStateRef state, SizeArgExpr Size,
1450 SVal sizeVal = state->getSVal(Size.Expression, LCtx);
1455 assumeZero(C, state, sizeVal, sizeTy);
1458 SVal destVal = state->getSVal(Dest.Expression, LCtx);
1474 state = stateNonZeroSize;
1478 state = checkNonNull(C, state, Dest, destVal);
1479 if (!state)
1483 SVal srcVal = state->getSVal(Source.Expression, LCtx);
1487 state = checkNonNull(C, state, Source, srcVal);
1488 if (!state)
1492 state = CheckBufferAccess(C, state, Dest, Size, AccessKind::write, CK);
1493 state = CheckBufferAccess(C, state, Source, Size, AccessKind::read, CK);
1496 state = CheckOverlap(C, state, Size, Dest, Source, CK);
1498 if (!state)
1511 state, BO_Add, DestRegCharVal, sizeVal, Dest.Expression->getType());
1519 state = state->BindExpr(Call.getOriginExpr(), LCtx, lastElement);
1523 state = state->BindExpr(Call.getOriginExpr(), LCtx, destVal);
1532 state = invalidateDestinationBufferBySize(
1533 C, state, Dest.Expression, C.getSVal(Dest.Expression), sizeVal,
1538 state = invalidateSourceBuffer(C, state, Source.Expression,
1541 C.addTransition(state);
1553 ProgramStateRef State = C.getState();
1557 evalCopyCommon(C, Call, State, Size, Dest, Src, IsRestricted, IsMempcpy, CK);
1609 ProgramStateRef State = C.getState();
1614 SVal sizeVal = State->getSVal(Size.Expression, LCtx);
1619 assumeZero(C, State, sizeVal, sizeTy);
1624 State = stateZeroSize;
1625 State = State->BindExpr(Call.getOriginExpr(), LCtx,
1627 C.addTransition(State);
1632 State = stateNonZeroSize;
1637 State->getSVal(Left.Expression, LCtx).castAs<DefinedOrUnknownSVal>();
1639 State->getSVal(Right.Expression, LCtx).castAs<DefinedOrUnknownSVal>();
1644 State->assume(Builder.evalEQ(State, LV, RV));
1649 State = SameBuffer;
1650 State = CheckBufferAccess(C, State, Left, Size, AccessKind::read);
1651 if (State) {
1652 State = SameBuffer->BindExpr(Call.getOriginExpr(), LCtx,
1654 C.addTransition(State);
1662 State = CheckBufferAccess(C, State, Right, Size, AccessKind::read, CK);
1663 State = CheckBufferAccess(C, State, Left, Size, AccessKind::read, CK);
1664 if (State) {
1668 State = State->BindExpr(Call.getOriginExpr(), LCtx, CmpV);
1669 C.addTransition(State);
1690 ProgramStateRef state = C.getState();
1695 SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1699 assumeZero(C, state, maxlenVal, maxlenExpr->getType());
1714 state = stateNonZeroSize;
1719 SVal ArgVal = state->getSVal(Arg.Expression, LCtx);
1720 state = checkNonNull(C, state, Arg, ArgVal);
1722 if (!state)
1725 SVal strLength = getCStringLength(C, state, Arg.Expression, ArgVal);
1727 // If the argument isn't a valid C string, there's no valid state to
1742 SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1751 std::tie(stateStringTooLong, stateStringNotTooLong) = state->assume(
1753 .evalBinOpNN(state, BO_GT, *strLengthNL, *maxlenValNL, cmpTy)
1775 state = state->assume(C.getSValBuilder().evalBinOpNN(
1776 state, BO_LE, resultNL, *strLengthNL, cmpTy)
1781 state = state->assume(C.getSValBuilder().evalBinOpNN(
1782 state, BO_LE, resultNL, *maxlenValNL, cmpTy)
1801 state = state->BindExpr(Call.getOriginExpr(), LCtx, result);
1802 C.addTransition(state);
1881 ProgramStateRef state = C.getState();
1886 SVal DstVal = state->getSVal(Dst.Expression, LCtx);
1887 state = checkNonNull(C, state, Dst, DstVal);
1888 if (!state)
1893 SVal srcVal = state->getSVal(srcExpr.Expression, LCtx);
1894 state = checkNonNull(C, state, srcExpr, srcVal);
1895 if (!state)
1899 SVal strLength = getCStringLength(C, state, srcExpr.Expression, srcVal);
1903 SVal dstStrLength = getCStringLength(C, state, Dst.Expression, DstVal);
1925 state = CheckOverlap(
1926 C, state,
1930 if (!state)
1937 SVal lenVal = state->getSVal(lenExpr.Expression, LCtx);
1955 std::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume(
1957 .evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy)
1963 state = stateSourceTooLong;
1968 state = stateSourceNotTooLong;
1978 SVal freeSpace = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL,
1983 svalBuilder.evalBinOp(state, BO_Sub, freeSpace,
1992 state, BO_LE, *strLengthNL, *freeSpaceNL, cmpTy);
1996 state->assume(hasEnoughSpace.castAs<DefinedOrUnknownSVal>());
2027 state, BO_Add, *lenValNL, *dstStrLengthNL, sizeTy);
2045 assumeZero(C, state, *lenValNL, sizeTy);
2060 state, BO_Add, strLength, dstStrLength, sizeTy);
2074 svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL, one, sizeTy);
2086 assert(state);
2109 strlRetVal = svalBuilder.evalBinOpNN(state, BO_Add, *strLengthNL,
2118 state = checkAdditionOverflow(C, state, *amountCopiedNL, *dstStrLengthNL);
2119 if (!state)
2122 finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *amountCopiedNL,
2132 getCStringLength(C, state, Call.getOriginExpr(), DstVal, true);
2141 state, BO_GE, *finalStrLengthNL, *amountCopiedNL, cmpTy);
2142 state = state->assume(sourceInResult.castAs<DefinedOrUnknownSVal>(),
2144 if (!state)
2151 SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE,
2155 state =
2156 state->assume(destInResult.castAs<DefinedOrUnknownSVal>(), true);
2157 if (!state)
2183 assert(state);
2195 svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, *maxLastNL, ptrTy);
2198 state = CheckLocation(C, state, Dst, DstVal, AccessKind::write);
2199 if (!state)
2202 state = CheckLocation(C, state, Dst, maxLastElement, AccessKind::write);
2203 if (!state)
2209 SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
2215 state = CheckLocation(C, state, Dst, DstVal, AccessKind::write);
2216 if (!state)
2219 state = CheckLocation(C, state, Dst, lastElement, AccessKind::write);
2220 if (!state)
2236 state = invalidateDestinationBufferBySize(C, state, Dst.Expression,
2242 state = invalidateSourceBuffer(C, state, srcExpr.Expression, srcVal);
2253 state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength);
2256 assert(state);
2267 state = state->BindExpr(Call.getOriginExpr(), LCtx, Result);
2268 C.addTransition(state);
2298 ProgramStateRef state = C.getState();
2303 SVal LeftVal = state->getSVal(Left.Expression, LCtx);
2304 state = checkNonNull(C, state, Left, LeftVal);
2305 if (!state)
2310 SVal RightVal = state->getSVal(Right.Expression, LCtx);
2311 state = checkNonNull(C, state, Right, RightVal);
2312 if (!state)
2316 SVal LeftLength = getCStringLength(C, state, Left.Expression, LeftVal);
2321 SVal RightLength = getCStringLength(C, state, Right.Expression, RightVal);
2333 DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
2335 std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
2351 state = StNotSameBuf;
2358 getCStringLiteral(C, state, Left.Expression, LeftVal);
2360 getCStringLiteral(C, state, Right.Expression, RightVal);
2372 SVal lenVal = state->getSVal(lenExpr, LCtx);
2375 if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) {
2411 svalBuilder.evalBinOp(state, op, resultVal, zeroVal,
2414 state = state->assume(compareWithZeroVal, true);
2419 state = state->BindExpr(Call.getOriginExpr(), LCtx, resultVal);
2422 C.addTransition(state);
2437 ProgramStateRef State = C.getState();
2442 SVal SearchStrVal = State->getSVal(SearchStrPtr.Expression, LCtx);
2443 State = checkNonNull(C, State, SearchStrPtr, SearchStrVal);
2444 if (!State)
2449 SVal DelimStrVal = State->getSVal(DelimStr.Expression, LCtx);
2450 State = checkNonNull(C, State, DelimStr, DelimStrVal);
2451 if (!State)
2458 Result = State->getSVal(*SearchStrLoc, CharPtrTy);
2463 State = invalidateDestinationBufferNeverOverflows(
2464 C, State, SearchStrPtr.Expression, Result);
2468 State =
2469 State->bindLoc(*SearchStrLoc,
2481 State = State->BindExpr(Call.getOriginExpr(), LCtx, Result);
2482 C.addTransition(State);
2501 ProgramStateRef State = C.getState();
2512 SVal DstVal = State->getSVal(Dst, LCtx);
2515 State =
2516 invalidateDestinationBufferAlwaysEscapeSuperRegion(C, State, Dst, DstVal);
2522 State = State->BindExpr(Call.getOriginExpr(), LCtx, ResultVal);
2524 C.addTransition(State);
2536 ProgramStateRef State = C.getState();
2544 std::tie(ZeroSize, NonZeroSize) = assumeZero(C, State, SizeVal, SizeTy);
2559 State = checkNonNull(C, NonZeroSize, Buffer, BufferPtrVal);
2560 if (!State)
2563 State = CheckBufferAccess(C, State, Buffer, Size, AccessKind::write);
2564 if (!State)
2571 Size.Expression, C, State))
2574 State = State->BindExpr(Call.getOriginExpr(), LCtx, BufferPtrVal);
2575 C.addTransition(State);
2585 ProgramStateRef State = C.getState();
2593 assumeZero(C, State, SizeVal, SizeTy);
2607 State = checkNonNull(C, StateNonZeroSize, Buffer, MemVal);
2608 if (!State)
2611 State = CheckBufferAccess(C, State, Buffer, Size, AccessKind::write);
2612 if (!State)
2615 if (!memsetAux(Buffer.Expression, Zero, Size.Expression, C, State))
2618 C.addTransition(State);
2635 ProgramStateRef State = C.getState();
2660 State = CheckOverlap(
2661 C, State,
2664 if (!State)
2668 C.addTransition(State);
2729 ProgramStateRef state = C.getState();
2746 Loc VarLoc = state->getLValue(D, C.getLocationContext());
2754 getCStringLength(C, state, Init, StrVal).castAs<DefinedOrUnknownSVal>();
2756 state = state->set<CStringLength>(MR, strLength);
2759 C.addTransition(state);
2763 CStringChecker::checkRegionChanges(ProgramStateRef state,
2769 CStringLengthTy Entries = state->get<CStringLength>();
2771 return state;
2787 CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2789 // Then loop over the entries in the current state.
2808 return state->set<CStringLength>(Entries);
2811 void CStringChecker::checkLiveSymbols(ProgramStateRef state,
2814 CStringLengthTy Entries = state->get<CStringLength>();
2824 ProgramStateRef state = C.getState();
2825 CStringLengthTy Entries = state->get<CStringLength>();
2829 CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2837 state = state->set<CStringLength>(Entries);
2838 C.addTransition(state);