RangedConstraintManager.h

Go to the documentation of this file.

//== RangedConstraintManager.h ----------------------------------*- C++ -*--==//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
//  Ranged constraint manager, built on SimpleConstraintManager.
//
//===----------------------------------------------------------------------===//
 
#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_RANGEDCONSTRAINTMANAGER_H
#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_RANGEDCONSTRAINTMANAGER_H
 
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SimpleConstraintManager.h"
#include "llvm/ADT/APSInt.h"
#include "llvm/Support/Allocator.h"
 
namespace clang {
 
namespace ento {
 
/// A Range represents the closed range [from, to].  The caller must
/// guarantee that from <= to.  Note that Range is immutable, so as not
/// to subvert RangeSet's immutability.
class Range {
public:
  Range(const llvm::APSInt &From, const llvm::APSInt &To) : Impl(&From, &To) {
    assert(From <= To);
  }
 
  Range(const llvm::APSInt &Point) : Range(Point, Point) {}
 
  bool Includes(const llvm::APSInt &Point) const {
    return From() <= Point && Point <= To();
  }
  const llvm::APSInt &From() const { return *Impl.first; }
  const llvm::APSInt &To() const { return *Impl.second; }
  const llvm::APSInt *getConcreteValue() const {
    return &From() == &To() ? &From() : nullptr;
  }
 
  void Profile(llvm::FoldingSetNodeID &ID) const {
    ID.AddPointer(&From());
    ID.AddPointer(&To());
  }
  void dump(raw_ostream &OS) const;
  void dump() const;
 
  // In order to keep non-overlapping ranges sorted, we can compare only From
  // points.
  bool operator<(const Range &RHS) const { return From() < RHS.From(); }
 
  bool operator==(const Range &RHS) const { return Impl == RHS.Impl; }
  bool operator!=(const Range &RHS) const { return !operator==(RHS); }
 
private:
  std::pair<const llvm::APSInt *, const llvm::APSInt *> Impl;
};
 
/// @class RangeSet is a persistent set of non-overlapping ranges.
///
/// New RangeSet objects can be ONLY produced by RangeSet::Factory object, which
/// also supports the most common operations performed on range sets.
///
/// Empty set corresponds to an overly constrained symbol meaning that there
/// are no possible values for that symbol.
class RangeSet {
public:
  class Factory;
 
private:
  // We use llvm::SmallVector as the underlying container for the following
  // reasons:
  //
  //   * Range sets are usually very simple, 1 or 2 ranges.
  //     That's why llvm::ImmutableSet is not perfect.
  //
  //   * Ranges in sets are NOT overlapping, so it is natural to keep them
  //     sorted for efficient operations and queries.  For this reason,
  //     llvm::SmallSet doesn't fit the requirements, it is not sorted when it
  //     is a vector.
  //
  //   * Range set operations usually a bit harder than add/remove a range.
  //     Complex operations might do many of those for just one range set.
  //     Formerly it used to be llvm::ImmutableSet, which is inefficient for our
  //     purposes as we want to make these operations BOTH immutable AND
  //     efficient.
  //
  //   * Iteration over ranges is widespread and a more cache-friendly
  //     structure is preferred.
  using ImplType = llvm::SmallVector<Range, 4>;
 
  struct ContainerType : public ImplType, public llvm::FoldingSetNode {
    void Profile(llvm::FoldingSetNodeID &ID) const {
      for (const Range &It : *this) {
        It.Profile(ID);
      }
    }
  };
  // This is a non-owning pointer to an actual container.
  // The memory is fully managed by the factory and is alive as long as the
  // factory itself is alive.
  // It is a pointer as opposed to a reference, so we can easily reassign
  // RangeSet objects.
  using UnderlyingType = const ContainerType *;
  UnderlyingType Impl;
 
public:
  using const_iterator = ImplType::const_iterator;
 
  const_iterator begin() const { return Impl->begin(); }
  const_iterator end() const { return Impl->end(); }
  size_t size() const { return Impl->size(); }
 
  bool isEmpty() const { return Impl->empty(); }
 
  class Factory {
  public:
    Factory(BasicValueFactory &BV) : ValueFactory(BV) {}
 
    /// Create a new set with all ranges from both LHS and RHS.
    /// Possible intersections are not checked here.
    ///
    /// Complexity: O(N + M)
    ///             where N = size(LHS), M = size(RHS)
    RangeSet add(RangeSet LHS, RangeSet RHS);
    /// Create a new set with all ranges from the original set plus the new one.
    /// Possible intersections are not checked here.
    ///
    /// Complexity: O(N)
    ///             where N = size(Original)
    RangeSet add(RangeSet Original, Range Element);
    /// Create a new set with all ranges from the original set plus the point.
    /// Possible intersections are not checked here.
    ///
    /// Complexity: O(N)
    ///             where N = size(Original)
    RangeSet add(RangeSet Original, const llvm::APSInt &Point);
    /// Create a new set which is a union of two given ranges.
    /// Possible intersections are not checked here.
    ///
    /// Complexity: O(N + M)
    ///             where N = size(LHS), M = size(RHS)
    RangeSet unite(RangeSet LHS, RangeSet RHS);
    /// Create a new set by uniting given range set with the given range.
    /// All intersections and adjacent ranges are handled here.
    ///
    /// Complexity: O(N)
    ///             where N = size(Original)
    RangeSet unite(RangeSet Original, Range Element);
    /// Create a new set by uniting given range set with the given point.
    /// All intersections and adjacent ranges are handled here.
    ///
    /// Complexity: O(N)
    ///             where N = size(Original)
    RangeSet unite(RangeSet Original, llvm::APSInt Point);
    /// Create a new set by uniting given range set with the given range
    /// between points. All intersections and adjacent ranges are handled here.
    ///
    /// Complexity: O(N)
    ///             where N = size(Original)
    RangeSet unite(RangeSet Original, llvm::APSInt From, llvm::APSInt To);
 
    RangeSet getEmptySet() { return &EmptySet; }
 
    /// Create a new set with just one range.
    /// @{
    RangeSet getRangeSet(Range Origin);
    RangeSet getRangeSet(const llvm::APSInt &From, const llvm::APSInt &To) {
      return getRangeSet(Range(From, To));
    }
    RangeSet getRangeSet(const llvm::APSInt &Origin) {
      return getRangeSet(Origin, Origin);
    }
    /// @}
 
    /// Intersect the given range sets.
    ///
    /// Complexity: O(N + M)
    ///             where N = size(LHS), M = size(RHS)
    RangeSet intersect(RangeSet LHS, RangeSet RHS);
    /// Intersect the given set with the closed range [Lower, Upper].
    ///
    /// Unlike the Range type, this range uses modular arithmetic, corresponding
    /// to the common treatment of C integer overflow. Thus, if the Lower bound
    /// is greater than the Upper bound, the range is taken to wrap around. This
    /// is equivalent to taking the intersection with the two ranges [Min,
    /// Upper] and [Lower, Max], or, alternatively, /removing/ all integers
    /// between Upper and Lower.
    ///
    /// Complexity: O(N)
    ///             where N = size(What)
    RangeSet intersect(RangeSet What, llvm::APSInt Lower, llvm::APSInt Upper);
    /// Intersect the given range with the given point.
    ///
    /// The result can be either an empty set or a set containing the given
    /// point depending on whether the point is in the range set.
    ///
    /// Complexity: O(logN)
    ///             where N = size(What)
    RangeSet intersect(RangeSet What, llvm::APSInt Point);
 
    /// Delete the given point from the range set.
    ///
    /// Complexity: O(N)
    ///             where N = size(From)
    RangeSet deletePoint(RangeSet From, const llvm::APSInt &Point);
    /// Negate the given range set.
    ///
    /// Turn all [A, B] ranges to [-B, -A], when "-" is a C-like unary minus
    /// operation under the values of the type.
    ///
    /// We also handle MIN because applying unary minus to MIN does not change
    /// it.
    /// Example 1:
    /// char x = -128;        // -128 is a MIN value in a range of 'char'
    /// char y = -x;          // y: -128
    ///
    /// Example 2:
    /// unsigned char x = 0;  // 0 is a MIN value in a range of 'unsigned char'
    /// unsigned char y = -x; // y: 0
    ///
    /// And it makes us to separate the range
    /// like [MIN, N] to [MIN, MIN] U [-N, MAX].
    /// For instance, whole range is {-128..127} and subrange is [-128,-126],
    /// thus [-128,-127,-126,...] negates to [-128,...,126,127].
    ///
    /// Negate restores disrupted ranges on bounds,
    /// e.g. [MIN, B] => [MIN, MIN] U [-B, MAX] => [MIN, B].
    ///
    /// Negate is a self-inverse function, i.e. negate(negate(R)) == R.
    ///
    /// Complexity: O(N)
    ///             where N = size(What)
    RangeSet negate(RangeSet What);
    /// Performs promotions, truncations and conversions of the given set.
    ///
    /// This function is optimized for each of the six cast cases:
    /// - noop
    /// - conversion
    /// - truncation
    /// - truncation-conversion
    /// - promotion
    /// - promotion-conversion
    ///
    /// NOTE: This function is NOT self-inverse for truncations, because of
    ///       the higher bits loss:
    ///     - castTo(castTo(OrigRangeOfInt, char), int) != OrigRangeOfInt.
    ///     - castTo(castTo(OrigRangeOfChar, int), char) == OrigRangeOfChar.
    ///       But it is self-inverse for all the rest casts.
    ///
    /// Complexity:
    ///     - Noop                               O(1);
    ///     - Truncation                         O(N^2);
    ///     - Another case                       O(N);
    ///     where N = size(What)
    RangeSet castTo(RangeSet What, APSIntType Ty);
    RangeSet castTo(RangeSet What, QualType T);
 
    /// Return associated value factory.
    BasicValueFactory &getValueFactory() const { return ValueFactory; }
 
  private:
    /// Return a persistent version of the given container.
    RangeSet makePersistent(ContainerType &&From);
    /// Construct a new persistent version of the given container.
    ContainerType *construct(ContainerType &&From);
 
    RangeSet intersect(const ContainerType &LHS, const ContainerType &RHS);
    /// NOTE: This function relies on the fact that all values in the
    /// containers are persistent (created via BasicValueFactory::getValue).
    ContainerType unite(const ContainerType &LHS, const ContainerType &RHS);
 
    /// This is a helper function for `castTo` method. Implies not to be used
    /// separately.
    /// Performs a truncation case of a cast operation.
    ContainerType truncateTo(RangeSet What, APSIntType Ty);
 
    /// This is a helper function for `castTo` method. Implies not to be used
    /// separately.
    /// Performs a conversion case and a promotion-conversion case for signeds
    /// of a cast operation.
    ContainerType convertTo(RangeSet What, APSIntType Ty);
 
    /// This is a helper function for `castTo` method. Implies not to be used
    /// separately.
    /// Performs a promotion for unsigneds only.
    ContainerType promoteTo(RangeSet What, APSIntType Ty);
 
    // Many operations include producing new APSInt values and that's why
    // we need this factory.
    BasicValueFactory &ValueFactory;
    // Allocator for all the created containers.
    // Containers might own their own memory and that's why it is specific
    // for the type, so it calls container destructors upon deletion.
    llvm::SpecificBumpPtrAllocator<ContainerType> Arena;
    // Usually we deal with the same ranges and range sets over and over.
    // Here we track all created containers and try not to repeat ourselves.
    llvm::FoldingSet<ContainerType> Cache;
    static ContainerType EmptySet;
  };
 
  RangeSet(const RangeSet &) = default;
  RangeSet &operator=(const RangeSet &) = default;
  RangeSet(RangeSet &&) = default;
  RangeSet &operator=(RangeSet &&) = default;
  ~RangeSet() = default;
 
  /// Construct a new RangeSet representing '{ [From, To] }'.
  RangeSet(Factory &F, const llvm::APSInt &From, const llvm::APSInt &To)
      : RangeSet(F.getRangeSet(From, To)) {}
 
  /// Construct a new RangeSet representing the given point as a range.
  RangeSet(Factory &F, const llvm::APSInt &Point)
      : RangeSet(F.getRangeSet(Point)) {}
 
  static void Profile(llvm::FoldingSetNodeID &ID, const RangeSet &RS) {
    ID.AddPointer(RS.Impl);
  }
 
  /// Profile - Generates a hash profile of this RangeSet for use
  ///  by FoldingSet.
  void Profile(llvm::FoldingSetNodeID &ID) const { Profile(ID, *this); }
 
  /// getConcreteValue - If a symbol is constrained to equal a specific integer
  ///  constant then this method returns that value.  Otherwise, it returns
  ///  NULL.
  const llvm::APSInt *getConcreteValue() const {
    return Impl->size() == 1 ? begin()->getConcreteValue() : nullptr;
  }
 
  /// Get the minimal value covered by the ranges in the set.
  ///
  /// Complexity: O(1)
  const llvm::APSInt &getMinValue() const;
  /// Get the maximal value covered by the ranges in the set.
  ///
  /// Complexity: O(1)
  const llvm::APSInt &getMaxValue() const;
 
  bool isUnsigned() const;
  uint32_t getBitWidth() const;
  APSIntType getAPSIntType() const;
 
  /// Test whether the given point is contained by any of the ranges.
  ///
  /// Complexity: O(logN)
  ///             where N = size(this)
  bool contains(llvm::APSInt Point) const { return containsImpl(Point); }
 
  bool containsZero() const {
    APSIntType T{getMinValue()};
    return contains(T.getZeroValue());
  }
 
  /// Test if the range is the [0,0] range.
  ///
  /// Complexity: O(1)
  bool encodesFalseRange() const {
    const llvm::APSInt *Constant = getConcreteValue();
    return Constant && Constant->isZero();
  }
 
  /// Test if the range doesn't contain zero.
  ///
  /// Complexity: O(logN)
  ///             where N = size(this)
  bool encodesTrueRange() const { return !containsZero(); }
 
  void dump(raw_ostream &OS) const;
  void dump() const;
 
  bool operator==(const RangeSet &Other) const { return *Impl == *Other.Impl; }
  bool operator!=(const RangeSet &Other) const { return !(*this == Other); }
 
private:
  /* implicit */ RangeSet(ContainerType *RawContainer) : Impl(RawContainer) {}
  /* implicit */ RangeSet(UnderlyingType Ptr) : Impl(Ptr) {}
 
  /// Pin given points to the type represented by the current range set.
  ///
  /// This makes parameter points to be in-out parameters.
  /// In order to maintain consistent types across all of the ranges in the set
  /// and to keep all the operations to compare ONLY points of the same type, we
  /// need to pin every point before any operation.
  ///
  /// @Returns true if the given points can be converted to the target type
  ///          without changing the values (i.e. trivially) and false otherwise.
  /// @{
  bool pin(llvm::APSInt &Lower, llvm::APSInt &Upper) const;
  bool pin(llvm::APSInt &Point) const;
  /// @}
 
  // This version of this function modifies its arguments (pins it).
  bool containsImpl(llvm::APSInt &Point) const;
 
  friend class Factory;
};
 
using ConstraintMap = llvm::ImmutableMap<SymbolRef, RangeSet>;
ConstraintMap getConstraintMap(ProgramStateRef State);
 
class RangedConstraintManager : public SimpleConstraintManager {
public:
  RangedConstraintManager(ExprEngine *EE, SValBuilder &SB)
      : SimpleConstraintManager(EE, SB) {}
 
  ~RangedConstraintManager() override;
 
  //===------------------------------------------------------------------===//
  // Implementation for interface from SimpleConstraintManager.
  //===------------------------------------------------------------------===//
 
  ProgramStateRef assumeSym(ProgramStateRef State, SymbolRef Sym,
                            bool Assumption) override;
 
  ProgramStateRef assumeSymInclusiveRange(ProgramStateRef State, SymbolRef Sym,
                                          const llvm::APSInt &From,
                                          const llvm::APSInt &To,
                                          bool InRange) override;
 
  ProgramStateRef assumeSymUnsupported(ProgramStateRef State, SymbolRef Sym,
                                       bool Assumption) override;
 
protected:
  /// Assume a constraint between a symbolic expression and a concrete integer.
  virtual ProgramStateRef assumeSymRel(ProgramStateRef State, SymbolRef Sym,
                                       BinaryOperator::Opcode op,
                                       const llvm::APSInt &Int);
 
  //===------------------------------------------------------------------===//
  // Interface that subclasses must implement.
  //===------------------------------------------------------------------===//
 
  // Each of these is of the form "$Sym+Adj <> V", where "<>" is the comparison
  // operation for the method being invoked.
 
  virtual ProgramStateRef assumeSymNE(ProgramStateRef State, SymbolRef Sym,
                                      const llvm::APSInt &V,
                                      const llvm::APSInt &Adjustment) = 0;
 
  virtual ProgramStateRef assumeSymEQ(ProgramStateRef State, SymbolRef Sym,
                                      const llvm::APSInt &V,
                                      const llvm::APSInt &Adjustment) = 0;
 
  virtual ProgramStateRef assumeSymLT(ProgramStateRef State, SymbolRef Sym,
                                      const llvm::APSInt &V,
                                      const llvm::APSInt &Adjustment) = 0;
 
  virtual ProgramStateRef assumeSymGT(ProgramStateRef State, SymbolRef Sym,
                                      const llvm::APSInt &V,
                                      const llvm::APSInt &Adjustment) = 0;
 
  virtual ProgramStateRef assumeSymLE(ProgramStateRef State, SymbolRef Sym,
                                      const llvm::APSInt &V,
                                      const llvm::APSInt &Adjustment) = 0;
 
  virtual ProgramStateRef assumeSymGE(ProgramStateRef State, SymbolRef Sym,
                                      const llvm::APSInt &V,
                                      const llvm::APSInt &Adjustment) = 0;
 
  virtual ProgramStateRef assumeSymWithinInclusiveRange(
      ProgramStateRef State, SymbolRef Sym, const llvm::APSInt &From,
      const llvm::APSInt &To, const llvm::APSInt &Adjustment) = 0;
 
  virtual ProgramStateRef assumeSymOutsideInclusiveRange(
      ProgramStateRef State, SymbolRef Sym, const llvm::APSInt &From,
      const llvm::APSInt &To, const llvm::APSInt &Adjustment) = 0;
 
  //===------------------------------------------------------------------===//
  // Internal implementation.
  //===------------------------------------------------------------------===//
private:
  static void computeAdjustment(SymbolRef &Sym, llvm::APSInt &Adjustment);
};
 
/// Try to simplify a given symbolic expression based on the constraints in
/// State. This is needed because the Environment bindings are not getting
/// updated when a new constraint is added to the State. If the symbol is
/// simplified to a non-symbol (e.g. to a constant) then the original symbol
/// is returned. We use this function in the family of assumeSymNE/EQ/LT/../GE
/// functions where we can work only with symbols. Use the other function
/// (simplifyToSVal) if you are interested in a simplification that may yield
/// a concrete constant value.
SymbolRef simplify(ProgramStateRef State, SymbolRef Sym);
 
/// Try to simplify a given symbolic expression's associated `SVal` based on the
/// constraints in State. This is very similar to `simplify`, but this function
/// always returns the simplified SVal. The simplified SVal might be a single
/// constant (i.e. `ConcreteInt`).
SVal simplifyToSVal(ProgramStateRef State, SymbolRef Sym);
 
} // namespace ento
} // namespace clang
 
REGISTER_FACTORY_WITH_PROGRAMSTATE(ConstraintMap)
 
#endif