本文整理汇总了C++中SVal类的典型用法代码示例。如果您正苦于以下问题:C++ SVal类的具体用法?C++ SVal怎么用?C++ SVal使用的例子?那么, 这里精选的类代码示例或许可以为您提供帮助。
在下文中一共展示了SVal类的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1:
std::shared_ptr<PathDiagnosticPiece>
DivisionBRVisitor::VisitNode(const ExplodedNode *Succ, const ExplodedNode *Pred,
BugReporterContext &BRC, BugReport &BR) {
if (Satisfied)
return nullptr;
const Expr *E = nullptr;
if (Optional<PostStmt> P = Succ->getLocationAs<PostStmt>())
if (const BinaryOperator *BO = P->getStmtAs<BinaryOperator>()) {
BinaryOperator::Opcode Op = BO->getOpcode();
if (Op == BO_Div || Op == BO_Rem || Op == BO_DivAssign ||
Op == BO_RemAssign) {
E = BO->getRHS();
}
}
if (!E)
return nullptr;
SVal S = Succ->getSVal(E);
if (ZeroSymbol == S.getAsSymbol() && SFC == Succ->getStackFrame()) {
Satisfied = true;
// Construct a new PathDiagnosticPiece.
ProgramPoint P = Succ->getLocation();
PathDiagnosticLocation L =
PathDiagnosticLocation::create(P, BRC.getSourceManager());
if (!L.isValid() || !L.asLocation().isValid())
return nullptr;
return std::make_shared<PathDiagnosticEventPiece>(
L, "Division with compared value made here");
}
return nullptr;
}示例2: getRawSVal
SVal ProgramState::getSVal(Loc location, QualType T) const {
SVal V = getRawSVal(cast<Loc>(location), T);
// If 'V' is a symbolic value that is *perfectly* constrained to
// be a constant value, use that value instead to lessen the burden
// on later analysis stages (so we have less symbolic values to reason
// about).
if (!T.isNull()) {
if (SymbolRef sym = V.getAsSymbol()) {
if (const llvm::APSInt *Int = getStateManager()
.getConstraintManager()
.getSymVal(this, sym)) {
// FIXME: Because we don't correctly model (yet) sign-extension
// and truncation of symbolic values, we need to convert
// the integer value to the correct signedness and bitwidth.
//
// This shows up in the following:
//
// char foo();
// unsigned x = foo();
// if (x == 54)
// ...
//
// The symbolic value stored to 'x' is actually the conjured
// symbol for the call to foo(); the type of that symbol is 'char',
// not unsigned.
const llvm::APSInt &NewV = getBasicVals().Convert(T, *Int);
if (V.getAs<Loc>())
return loc::ConcreteInt(NewV);
else
return nonloc::ConcreteInt(NewV);
}
}
}
return V;
}示例3: checkPreStmt
void PointerSubChecker::checkPreStmt(const BinaryOperator *B,
CheckerContext &C) const {
// When doing pointer subtraction, if the two pointers do not point to the
// same memory chunk, emit a warning.
if (B->getOpcode() != BO_Sub)
return;
ProgramStateRef state = C.getState();
const LocationContext *LCtx = C.getLocationContext();
SVal LV = state->getSVal(B->getLHS(), LCtx);
SVal RV = state->getSVal(B->getRHS(), LCtx);
const MemRegion *LR = LV.getAsRegion();
const MemRegion *RR = RV.getAsRegion();
if (!(LR && RR))
return;
const MemRegion *BaseLR = LR->getBaseRegion();
const MemRegion *BaseRR = RR->getBaseRegion();
if (BaseLR == BaseRR)
return;
// Allow arithmetic on different symbolic regions.
if (isa<SymbolicRegion>(BaseLR) || isa<SymbolicRegion>(BaseRR))
return;
if (ExplodedNode *N = C.addTransition()) {
if (!BT)
BT.reset(new BuiltinBug("Pointer subtraction",
"Subtraction of two pointers that do not point to "
"the same memory chunk may cause incorrect result."));
BugReport *R = new BugReport(*BT, BT->getDescription(), N);
R->addRange(B->getSourceRange());
C.EmitReport(R);
}
}示例4: reportBug
void TestAfterDivZeroChecker::reportBug(SVal Val, CheckerContext &C) const {
if (ExplodedNode *N = C.generateSink(C.getState())) {
if (!DivZeroBug)
DivZeroBug.reset(new BuiltinBug(this, "Division by zero"));
BugReport *R =
new BugReport(*DivZeroBug, "Value being compared against zero has "
"already been used for division",
N);
R->addVisitor(new DivisionBRVisitor(Val.getAsSymbol(), C.getStackFrame()));
C.emitReport(R);
}
}示例5: invalidateIterators
// Handle assigning to an iterator where we don't have the LValue MemRegion.
const ProgramState *IteratorsChecker::handleAssign(const ProgramState *state,
const Expr *lexp, const Expr *rexp, const LocationContext *LC) const {
// Skip the cast if present.
if (const MaterializeTemporaryExpr *M
= dyn_cast<MaterializeTemporaryExpr>(lexp))
lexp = M->GetTemporaryExpr();
if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(lexp))
lexp = ICE->getSubExpr();
SVal sv = state->getSVal(lexp);
const MemRegion *MR = sv.getAsRegion();
if (!MR)
return state;
RefKind kind = getTemplateKind(lexp->getType());
// If assigning to a vector, invalidate any iterators currently associated.
if (kind == VectorKind)
return invalidateIterators(state, MR, 0);
// Make sure that we are assigning to an iterator.
if (getTemplateKind(lexp->getType()) != VectorIteratorKind)
return state;
return handleAssign(state, MR, rexp, LC);
}示例6: evalCall
bool OSAtomicChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {
const ProgramState *state = C.getState();
const Expr *Callee = CE->getCallee();
SVal L = state->getSVal(Callee);
const FunctionDecl *FD = L.getAsFunctionDecl();
if (!FD)
return false;
const IdentifierInfo *II = FD->getIdentifier();
if (!II)
return false;
StringRef FName(II->getName());
// Check for compare and swap.
if (FName.startswith("OSAtomicCompareAndSwap") ||
FName.startswith("objc_atomicCompareAndSwap"))
return evalOSAtomicCompareAndSwap(C, CE);
// FIXME: Other atomics.
return false;
}示例7: isLocTainted
bool DoubleFetchChecker::isLocTainted(ProgramStateRef state, SVal loc) const{
if (MaxTag == -1)
return false;
else{
const MemRegion *mrptr = loc.getAsRegion();
if(!mrptr)
std::cout<<"(isLocTainted) getAsRegion failed!"<<std::endl;
const TaintList *tl = state->get<LocalVarMap>(mrptr);
if (tl){
return true;
}
return false;
}
}示例8: checkPreStmt
void CallAndMessageChecker::checkPreStmt(const CXXDeleteExpr *DE,
CheckerContext &C) const {
SVal Arg = C.getSVal(DE->getArgument());
if (Arg.isUndef()) {
StringRef Desc;
ExplodedNode *N = C.generateSink();
if (!N)
return;
if (!BT_cxx_delete_undef)
BT_cxx_delete_undef.reset(
new BuiltinBug(this, "Uninitialized argument value"));
if (DE->isArrayFormAsWritten())
Desc = "Argument to 'delete[]' is uninitialized";
else
Desc = "Argument to 'delete' is uninitialized";
BugType *BT = BT_cxx_delete_undef.get();
auto R = llvm::make_unique<BugReport>(*BT, Desc, N);
bugreporter::trackNullOrUndefValue(N, DE, *R);
C.emitReport(std::move(R));
return;
}
}示例9: BuiltinBug
void UndefinedAssignmentChecker::checkBind(SVal location, SVal val,
const Stmt *StoreE,
CheckerContext &C) const {
if (!val.isUndef())
return;
ExplodedNode *N = C.generateSink();
if (!N)
return;
const char *str = "Assigned value is garbage or undefined";
if (!BT)
BT.reset(new BuiltinBug(str));
// Generate a report for this bug.
const Expr *ex = 0;
while (StoreE) {
if (const BinaryOperator *B = dyn_cast<BinaryOperator>(StoreE)) {
if (B->isCompoundAssignmentOp()) {
ProgramStateRef state = C.getState();
if (state->getSVal(B->getLHS(), C.getLocationContext()).isUndef()) {
str = "The left expression of the compound assignment is an "
"uninitialized value. The computed value will also be garbage";
ex = B->getLHS();
break;
}
}
ex = B->getRHS();
break;
}
if (const DeclStmt *DS = dyn_cast<DeclStmt>(StoreE)) {
const VarDecl *VD = dyn_cast<VarDecl>(DS->getSingleDecl());
ex = VD->getInit();
}
break;
}
BugReport *R = new BugReport(*BT, str, N);
if (ex) {
R->addRange(ex->getSourceRange());
bugreporter::trackNullOrUndefValue(N, ex, *R);
}
C.EmitReport(R);
}示例10: checkPreStmt
void PointerSubChecker::checkPreStmt(const BinaryOperator *B,
CheckerContext &C) const {
// When doing pointer subtraction, if the two pointers do not point to the
// same memory chunk, emit a warning.
if (B->getOpcode() != BO_Sub)
return;
SVal LV = C.getSVal(B->getLHS());
SVal RV = C.getSVal(B->getRHS());
const MemRegion *LR = LV.getAsRegion();
const MemRegion *RR = RV.getAsRegion();
if (!(LR && RR))
return;
const MemRegion *BaseLR = LR->getBaseRegion();
const MemRegion *BaseRR = RR->getBaseRegion();
if (BaseLR == BaseRR)
return;
// Allow arithmetic on different symbolic regions.
if (isa<SymbolicRegion>(BaseLR) || isa<SymbolicRegion>(BaseRR))
return;
if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
if (!BT)
BT.reset(
new BuiltinBug(this, "Pointer subtraction",
"Subtraction of two pointers that do not point to "
"the same memory chunk may cause incorrect result."));
auto R = llvm::make_unique<BugReport>(*BT, BT->getDescription(), N);
R->addRange(B->getSourceRange());
C.emitReport(std::move(R));
}
}示例11: checkArgs
// on a member call, first check the args for any bad iterators
// then, check to see if it is a call to a function that will invalidate
// the iterators
void IteratorsChecker::checkPreStmt(const CXXMemberCallExpr *MCE,
CheckerContext &C) const {
// Check the arguments.
checkArgs(C, MCE);
const MemberExpr *ME = dyn_cast<MemberExpr>(MCE->getCallee());
if (!ME)
return;
// Make sure we have the right kind of container.
const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(ME->getBase());
if (!DRE || getTemplateKind(DRE->getType()) != VectorKind)
return;
SVal tsv = C.getState()->getSVal(DRE);
// Get the MemRegion associated with the container instance.
const MemRegion *MR = tsv.getAsRegion();
if (!MR)
return;
// If we are calling a function that invalidates iterators, mark them
// appropriately by finding matching instances.
const ProgramState *state = C.getState();
StringRef mName = ME->getMemberDecl()->getName();
if (llvm::StringSwitch<bool>(mName)
.Cases("insert", "reserve", "push_back", true)
.Cases("erase", "pop_back", "clear", "resize", true)
.Default(false)) {
// If there was a 'reserve' call, assume iterators are good.
if (!state->contains<CalledReserved>(MR))
state = invalidateIterators(state, MR, ME);
}
// Keep track of instances that have called 'reserve'
// note: do this after we invalidate any iterators by calling
// 'reserve' itself.
if (mName == "reserve")
state = state->add<CalledReserved>(MR);
if (state != C.getState())
C.addTransition(state);
}示例12: BuiltinBug
void DereferenceChecker::checkLocation(SVal l, bool isLoad, const Stmt* S,
CheckerContext &C) const {
// Check for dereference of an undefined value.
if (l.isUndef()) {
if (ExplodedNode *N = C.generateSink()) {
if (!BT_undef)
BT_undef.reset(new BuiltinBug("Dereference of undefined pointer value"));
BugReport *report =
new BugReport(*BT_undef, BT_undef->getDescription(), N);
bugreporter::addTrackNullOrUndefValueVisitor(N,
bugreporter::GetDerefExpr(N),
report);
report->disablePathPruning();
C.EmitReport(report);
}
return;
}
DefinedOrUnknownSVal location = cast<DefinedOrUnknownSVal>(l);
// Check for null dereferences.
if (!isa<Loc>(location))
return;
ProgramStateRef state = C.getState();
ProgramStateRef notNullState, nullState;
llvm::tie(notNullState, nullState) = state->assume(location);
// The explicit NULL case.
if (nullState) {
if (!notNullState) {
reportBug(nullState, S, C);
return;
}
// Otherwise, we have the case where the location could either be
// null or not-null. Record the error node as an "implicit" null
// dereference.
if (ExplodedNode *N = C.generateSink(nullState)) {
ImplicitNullDerefEvent event = { l, isLoad, N, &C.getBugReporter() };
dispatchEvent(event);
}
}
// From this point forward, we know that the location is not null.
C.addTransition(notNullState);
}示例13: getSymbolRef
SymbolRef DoubleFetchChecker::getSymbolRef(SVal val) const {
if(val.isConstant()){
std::cout<<"--->(getSymbolRef) failed! IsConstant."<<"\tval is:"<<toStr(val)<<std::endl;
return NULL;
}
if(val.isUnknownOrUndef()){
std::cout<<"--->(getSymbolRef) failed! IsUnknownOrUndef."<<"\tval is:"<<toStr(val)<<std::endl;
return NULL;
}
const SymExpr * SE = val.getAsSymExpr();
if (SE != NULL){
//std::cout<<"--->(getSymbolRef) getAsSymExpr succeed!"<<std::endl;
return SE;
}
else{
//std::cout<<"--->(getSymbolRef) getAsSymExpr failed!, try get memregion"<<"\tval is:"<<toStr(val)<<std::endl;
const MemRegion *Reg = val.getAsRegion();
if(!Reg){
std::cout<<"--->(getSymbolRef) getAsRegion failed!"<<"\tval is:"<<toStr(val)<<std::endl;
return NULL;
}
else{
if (const SymbolicRegion *SR = dyn_cast_or_null<SymbolicRegion>(Reg)){
//std::cout<<"--->(getSymbolRef) getAsRegion succeed."<<std::endl;
return SR->getSymbol();
}
else{
std::cout<<"--->(getSymbolRef) memRegion get symbolref failed."<<std::endl;
return NULL;
}
}
}
}示例14:
Optional<SVal> GenericTaintChecker::getPointedToSVal(CheckerContext &C,
const Expr *Arg) {
ProgramStateRef State = C.getState();
SVal AddrVal = C.getSVal(Arg->IgnoreParens());
if (AddrVal.isUnknownOrUndef())
return None;
Optional<Loc> AddrLoc = AddrVal.getAs<Loc>();
if (!AddrLoc)
return None;
QualType ArgTy = Arg->getType().getCanonicalType();
if (!ArgTy->isPointerType())
return None;
QualType ValTy = ArgTy->getPointeeType();
// Do not dereference void pointers. Treat them as byte pointers instead.
// FIXME: we might want to consider more than just the first byte.
if (ValTy->isVoidType())
ValTy = C.getASTContext().CharTy;
return State->getSVal(*AddrLoc, ValTy);
}示例15: reportBug
void TestAfterDivZeroChecker::reportBug(SVal Val, CheckerContext &C) const {
if (ExplodedNode *N = C.generateSink(C.getState())) {
if (!DivZeroBug)
DivZeroBug.reset(new BuiltinBug(this, "Division by zero"));
auto R = llvm::make_unique<BugReport>(
*DivZeroBug, "Value being compared against zero has already been used "
"for division",
N);
R->addVisitor(llvm::make_unique<DivisionBRVisitor>(Val.getAsSymbol(),
C.getStackFrame()));
C.emitReport(std::move(R));
}
}