Lines Matching +full:non +full:- +full:descriptive

1 //== ArrayBoundCheckerV2.cpp ------------------------------------*- C++ -*--==//
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
7 //===----------------------------------------------------------------------===//
9 // This file defines ArrayBoundCheckerV2, which is a path-sensitive check
10 // which looks for an out-of-bound array element access.
12 //===----------------------------------------------------------------------===//
47 const MemRegion *SubscriptBaseReg = C.getSVal(ASE->getBase()).getAsRegion(); in determineElementType()
53 if (isa<ElementRegion>(SubscriptBaseReg->StripCasts())) in determineElementType()
56 return ASE->getType(); in determineElementType()
105 /// sub-expressions of each other (but `getSimplifiedOffsets` is smart enough
129 BugType BT{this, "Out-of-bound access"};
130 BugType TaintBT{this, "Out-of-bound access", categories::TaintedData};
154 if (E->getOpcode() == UO_Deref) in checkPostStmt()
158 if (E->isArrow()) in checkPostStmt()
159 performCheck(E->getBase(), C); in checkPostStmt()
185 const auto Index = CurRegion->getIndex().getAs<NonLoc>(); in computeOffset()
189 QualType ElemType = CurRegion->getElementType(); in computeOffset()
194 if (ElemType->isIncompleteType()) in computeOffset()
209 OwnerRegion = CurRegion->getSuperRegion()->getAs<SubRegion>(); in computeOffset()
238 // turn it into "X < -1", which is still always false in a mathematical sense,
240 // the rules of C++ and casts -1 to SIZE_MAX).
245 if (SymVal && SymVal->isExpression()) { in getSimplifiedOffsets()
246 if (const SymIntExpr *SIE = dyn_cast<SymIntExpr>(SymVal->getSymbol())) { in getSimplifiedOffsets()
248 APSIntType(extent.getValue()).convert(SIE->getRHS()); in getSimplifiedOffsets()
249 switch (SIE->getOpcode()) { in getSimplifiedOffsets()
257 nonloc::SymbolVal(SIE->getLHS()), in getSimplifiedOffsets()
262 nonloc::SymbolVal(SIE->getLHS()), in getSimplifiedOffsets()
263 svalBuilder.makeIntVal(extent.getValue() - constant), svalBuilder); in getSimplifiedOffsets()
275 return MaxV && MaxV->isNegative(); in isNegative()
280 return T->isUnsignedIntegerType(); in isUnsigned()
299 // perform automatic conversions. For example the number -1 is less than the in compareValueToThreshold()
300 // number 1000, but -1 < `1000ull` will evaluate to `false` because the `int` in compareValueToThreshold()
301 // -1 is converted to ULONGLONG_MAX. in compareValueToThreshold()
317 // FIXME: These special cases are sufficient for handling real-world in compareValueToThreshold()
334 return State->assume(*BelowThreshold); in compareValueToThreshold()
340 if (std::string RegName = Region->getDescriptiveName(); !RegName.empty()) in getRegionName()
343 // Field regions only have descriptive names when their parent has a in getRegionName()
344 // descriptive name; so we provide a fallback representation for them: in getRegionName()
345 if (const auto *FR = Region->getAs<FieldRegion>()) { in getRegionName()
346 if (StringRef Name = FR->getDecl()->getName(); !Name.empty()) in getRegionName()
355 isa<HeapSpaceRegion>(Region->getMemorySpace())) in getRegionName()
366 return ConcreteVal->getValue().tryExtValue(); in getConcreteValue()
410 const auto *EReg = Location.getAsRegion()->getAs<ElementRegion>(); in getExceedsMsgs()
412 QualType ElemType = EReg->getElementType(); in getExceedsMsgs()
471 return C.getNoteTag([*this](PathSensitiveBugReport &BR) -> std::string { in createNoteTag()
514 Out << " non-negative"; in getMessage()
523 Out << "the number of '" << ElementType->getAsString() in getMessage()
536 for (SymbolRef PartSym : Sym->symbols()) { in providesInformationAboutInteresting()
577 const MemSpaceRegion *Space = Reg->getMemorySpace(); in performCheck()
584 // non-symbolic regions (e.g. a field subregion of a symbolic region) in in performCheck()
604 // evalBinOpNN fails to evaluate the less-than operator. in performCheck()
614 // checker will first assume that the offset is non-negative, and then in performCheck()
627 // expression that calculates the past-the-end pointer. in performCheck()
649 if (isTainted(State, ASE->getIdx(), C.getLocationContext())) in performCheck()
664 // evalBinOpNN fails to evaluate the less-than operator. in performCheck()
682 for (SymbolRef PartSym : Sym->symbols()) in markPartsInteresting()
690 // `Sym->symbols()` (because they're only loosely connected to `Val`). in markPartsInteresting()
713 // - Interestingness is not applied consistently, e.g. if `array[x+10]` in reportOOB()
715 // - We get irrelevant diagnostic pieces, e.g. in the code in reportOOB()
729 SourceLocation Loc = S->getBeginLoc(); in isFromCtypeMacro()
756 return UnaryOp && UnaryOp->getOpcode() == UO_AddrOf; in isInAddressOf()