10b57cec5SDimitry Andric //== ArrayBoundCheckerV2.cpp ------------------------------------*- C++ -*--==// 20b57cec5SDimitry Andric // 30b57cec5SDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 40b57cec5SDimitry Andric // See https://llvm.org/LICENSE.txt for license information. 50b57cec5SDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 60b57cec5SDimitry Andric // 70b57cec5SDimitry Andric //===----------------------------------------------------------------------===// 80b57cec5SDimitry Andric // 90b57cec5SDimitry Andric // This file defines ArrayBoundCheckerV2, which is a path-sensitive check 100b57cec5SDimitry Andric // which looks for an out-of-bound array element access. 110b57cec5SDimitry Andric // 120b57cec5SDimitry Andric //===----------------------------------------------------------------------===// 130b57cec5SDimitry Andric 140b57cec5SDimitry Andric #include "clang/AST/CharUnits.h" 155ffd83dbSDimitry Andric #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 1681ad6265SDimitry Andric #include "clang/StaticAnalyzer/Checkers/Taint.h" 170b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 180b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/Checker.h" 190b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/CheckerManager.h" 200b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h" 210b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 22fe6060f1SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h" 230b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 240b57cec5SDimitry Andric #include "llvm/ADT/SmallString.h" 250b57cec5SDimitry Andric #include "llvm/Support/raw_ostream.h" 26*bdd1243dSDimitry Andric #include <optional> 270b57cec5SDimitry Andric 280b57cec5SDimitry Andric using namespace clang; 290b57cec5SDimitry Andric using namespace ento; 300b57cec5SDimitry Andric using namespace taint; 310b57cec5SDimitry Andric 320b57cec5SDimitry Andric namespace { 330b57cec5SDimitry Andric class ArrayBoundCheckerV2 : 340b57cec5SDimitry Andric public Checker<check::Location> { 350b57cec5SDimitry Andric mutable std::unique_ptr<BuiltinBug> BT; 360b57cec5SDimitry Andric 370b57cec5SDimitry Andric enum OOB_Kind { OOB_Precedes, OOB_Excedes, OOB_Tainted }; 380b57cec5SDimitry Andric 390b57cec5SDimitry Andric void reportOOB(CheckerContext &C, ProgramStateRef errorState, OOB_Kind kind, 400b57cec5SDimitry Andric std::unique_ptr<BugReporterVisitor> Visitor = nullptr) const; 410b57cec5SDimitry Andric 420b57cec5SDimitry Andric public: 430b57cec5SDimitry Andric void checkLocation(SVal l, bool isLoad, const Stmt*S, 440b57cec5SDimitry Andric CheckerContext &C) const; 450b57cec5SDimitry Andric }; 460b57cec5SDimitry Andric 470b57cec5SDimitry Andric // FIXME: Eventually replace RegionRawOffset with this class. 480b57cec5SDimitry Andric class RegionRawOffsetV2 { 490b57cec5SDimitry Andric private: 500b57cec5SDimitry Andric const SubRegion *baseRegion; 510b57cec5SDimitry Andric SVal byteOffset; 520b57cec5SDimitry Andric 530b57cec5SDimitry Andric RegionRawOffsetV2() 540b57cec5SDimitry Andric : baseRegion(nullptr), byteOffset(UnknownVal()) {} 550b57cec5SDimitry Andric 560b57cec5SDimitry Andric public: 570b57cec5SDimitry Andric RegionRawOffsetV2(const SubRegion* base, SVal offset) 580b57cec5SDimitry Andric : baseRegion(base), byteOffset(offset) {} 590b57cec5SDimitry Andric 600b57cec5SDimitry Andric NonLoc getByteOffset() const { return byteOffset.castAs<NonLoc>(); } 610b57cec5SDimitry Andric const SubRegion *getRegion() const { return baseRegion; } 620b57cec5SDimitry Andric 630b57cec5SDimitry Andric static RegionRawOffsetV2 computeOffset(ProgramStateRef state, 640b57cec5SDimitry Andric SValBuilder &svalBuilder, 650b57cec5SDimitry Andric SVal location); 660b57cec5SDimitry Andric 670b57cec5SDimitry Andric void dump() const; 680b57cec5SDimitry Andric void dumpToStream(raw_ostream &os) const; 690b57cec5SDimitry Andric }; 700b57cec5SDimitry Andric } 710b57cec5SDimitry Andric 720b57cec5SDimitry Andric static SVal computeExtentBegin(SValBuilder &svalBuilder, 730b57cec5SDimitry Andric const MemRegion *region) { 740b57cec5SDimitry Andric const MemSpaceRegion *SR = region->getMemorySpace(); 750b57cec5SDimitry Andric if (SR->getKind() == MemRegion::UnknownSpaceRegionKind) 760b57cec5SDimitry Andric return UnknownVal(); 770b57cec5SDimitry Andric else 780b57cec5SDimitry Andric return svalBuilder.makeZeroArrayIndex(); 790b57cec5SDimitry Andric } 800b57cec5SDimitry Andric 810b57cec5SDimitry Andric // TODO: once the constraint manager is smart enough to handle non simplified 820b57cec5SDimitry Andric // symbolic expressions remove this function. Note that this can not be used in 830b57cec5SDimitry Andric // the constraint manager as is, since this does not handle overflows. It is 840b57cec5SDimitry Andric // safe to assume, however, that memory offsets will not overflow. 850b57cec5SDimitry Andric static std::pair<NonLoc, nonloc::ConcreteInt> 860b57cec5SDimitry Andric getSimplifiedOffsets(NonLoc offset, nonloc::ConcreteInt extent, 870b57cec5SDimitry Andric SValBuilder &svalBuilder) { 88*bdd1243dSDimitry Andric std::optional<nonloc::SymbolVal> SymVal = offset.getAs<nonloc::SymbolVal>(); 890b57cec5SDimitry Andric if (SymVal && SymVal->isExpression()) { 900b57cec5SDimitry Andric if (const SymIntExpr *SIE = dyn_cast<SymIntExpr>(SymVal->getSymbol())) { 910b57cec5SDimitry Andric llvm::APSInt constant = 920b57cec5SDimitry Andric APSIntType(extent.getValue()).convert(SIE->getRHS()); 930b57cec5SDimitry Andric switch (SIE->getOpcode()) { 940b57cec5SDimitry Andric case BO_Mul: 950b57cec5SDimitry Andric // The constant should never be 0 here, since it the result of scaling 960b57cec5SDimitry Andric // based on the size of a type which is never 0. 970b57cec5SDimitry Andric if ((extent.getValue() % constant) != 0) 980b57cec5SDimitry Andric return std::pair<NonLoc, nonloc::ConcreteInt>(offset, extent); 990b57cec5SDimitry Andric else 1000b57cec5SDimitry Andric return getSimplifiedOffsets( 1010b57cec5SDimitry Andric nonloc::SymbolVal(SIE->getLHS()), 1020b57cec5SDimitry Andric svalBuilder.makeIntVal(extent.getValue() / constant), 1030b57cec5SDimitry Andric svalBuilder); 1040b57cec5SDimitry Andric case BO_Add: 1050b57cec5SDimitry Andric return getSimplifiedOffsets( 1060b57cec5SDimitry Andric nonloc::SymbolVal(SIE->getLHS()), 1070b57cec5SDimitry Andric svalBuilder.makeIntVal(extent.getValue() - constant), svalBuilder); 1080b57cec5SDimitry Andric default: 1090b57cec5SDimitry Andric break; 1100b57cec5SDimitry Andric } 1110b57cec5SDimitry Andric } 1120b57cec5SDimitry Andric } 1130b57cec5SDimitry Andric 1140b57cec5SDimitry Andric return std::pair<NonLoc, nonloc::ConcreteInt>(offset, extent); 1150b57cec5SDimitry Andric } 1160b57cec5SDimitry Andric 1170b57cec5SDimitry Andric void ArrayBoundCheckerV2::checkLocation(SVal location, bool isLoad, 1180b57cec5SDimitry Andric const Stmt* LoadS, 1190b57cec5SDimitry Andric CheckerContext &checkerContext) const { 1200b57cec5SDimitry Andric 1210b57cec5SDimitry Andric // NOTE: Instead of using ProgramState::assumeInBound(), we are prototyping 1220b57cec5SDimitry Andric // some new logic here that reasons directly about memory region extents. 1230b57cec5SDimitry Andric // Once that logic is more mature, we can bring it back to assumeInBound() 1240b57cec5SDimitry Andric // for all clients to use. 1250b57cec5SDimitry Andric // 1260b57cec5SDimitry Andric // The algorithm we are using here for bounds checking is to see if the 1270b57cec5SDimitry Andric // memory access is within the extent of the base region. Since we 1280b57cec5SDimitry Andric // have some flexibility in defining the base region, we can achieve 1290b57cec5SDimitry Andric // various levels of conservatism in our buffer overflow checking. 1300b57cec5SDimitry Andric ProgramStateRef state = checkerContext.getState(); 1310b57cec5SDimitry Andric 1320b57cec5SDimitry Andric SValBuilder &svalBuilder = checkerContext.getSValBuilder(); 1330b57cec5SDimitry Andric const RegionRawOffsetV2 &rawOffset = 1340b57cec5SDimitry Andric RegionRawOffsetV2::computeOffset(state, svalBuilder, location); 1350b57cec5SDimitry Andric 1360b57cec5SDimitry Andric if (!rawOffset.getRegion()) 1370b57cec5SDimitry Andric return; 1380b57cec5SDimitry Andric 1390b57cec5SDimitry Andric NonLoc rawOffsetVal = rawOffset.getByteOffset(); 1400b57cec5SDimitry Andric 1410b57cec5SDimitry Andric // CHECK LOWER BOUND: Is byteOffset < extent begin? 1420b57cec5SDimitry Andric // If so, we are doing a load/store 1430b57cec5SDimitry Andric // before the first valid offset in the memory region. 1440b57cec5SDimitry Andric 1450b57cec5SDimitry Andric SVal extentBegin = computeExtentBegin(svalBuilder, rawOffset.getRegion()); 1460b57cec5SDimitry Andric 147*bdd1243dSDimitry Andric if (std::optional<NonLoc> NV = extentBegin.getAs<NonLoc>()) { 14881ad6265SDimitry Andric if (auto ConcreteNV = NV->getAs<nonloc::ConcreteInt>()) { 1490b57cec5SDimitry Andric std::pair<NonLoc, nonloc::ConcreteInt> simplifiedOffsets = 15081ad6265SDimitry Andric getSimplifiedOffsets(rawOffset.getByteOffset(), *ConcreteNV, 1510b57cec5SDimitry Andric svalBuilder); 1520b57cec5SDimitry Andric rawOffsetVal = simplifiedOffsets.first; 1530b57cec5SDimitry Andric *NV = simplifiedOffsets.second; 1540b57cec5SDimitry Andric } 1550b57cec5SDimitry Andric 1560b57cec5SDimitry Andric SVal lowerBound = svalBuilder.evalBinOpNN(state, BO_LT, rawOffsetVal, *NV, 1570b57cec5SDimitry Andric svalBuilder.getConditionType()); 1580b57cec5SDimitry Andric 159*bdd1243dSDimitry Andric std::optional<NonLoc> lowerBoundToCheck = lowerBound.getAs<NonLoc>(); 1600b57cec5SDimitry Andric if (!lowerBoundToCheck) 1610b57cec5SDimitry Andric return; 1620b57cec5SDimitry Andric 1630b57cec5SDimitry Andric ProgramStateRef state_precedesLowerBound, state_withinLowerBound; 1640b57cec5SDimitry Andric std::tie(state_precedesLowerBound, state_withinLowerBound) = 1650b57cec5SDimitry Andric state->assume(*lowerBoundToCheck); 1660b57cec5SDimitry Andric 1670b57cec5SDimitry Andric // Are we constrained enough to definitely precede the lower bound? 1680b57cec5SDimitry Andric if (state_precedesLowerBound && !state_withinLowerBound) { 1690b57cec5SDimitry Andric reportOOB(checkerContext, state_precedesLowerBound, OOB_Precedes); 1700b57cec5SDimitry Andric return; 1710b57cec5SDimitry Andric } 1720b57cec5SDimitry Andric 1730b57cec5SDimitry Andric // Otherwise, assume the constraint of the lower bound. 1740b57cec5SDimitry Andric assert(state_withinLowerBound); 1750b57cec5SDimitry Andric state = state_withinLowerBound; 1760b57cec5SDimitry Andric } 1770b57cec5SDimitry Andric 1780b57cec5SDimitry Andric do { 1795ffd83dbSDimitry Andric // CHECK UPPER BOUND: Is byteOffset >= size(baseRegion)? If so, 1800b57cec5SDimitry Andric // we are doing a load/store after the last valid offset. 1815ffd83dbSDimitry Andric const MemRegion *MR = rawOffset.getRegion(); 182fe6060f1SDimitry Andric DefinedOrUnknownSVal Size = getDynamicExtent(state, MR, svalBuilder); 18381ad6265SDimitry Andric if (!isa<NonLoc>(Size)) 1840b57cec5SDimitry Andric break; 1850b57cec5SDimitry Andric 18681ad6265SDimitry Andric if (auto ConcreteSize = Size.getAs<nonloc::ConcreteInt>()) { 1870b57cec5SDimitry Andric std::pair<NonLoc, nonloc::ConcreteInt> simplifiedOffsets = 18881ad6265SDimitry Andric getSimplifiedOffsets(rawOffset.getByteOffset(), *ConcreteSize, 18981ad6265SDimitry Andric svalBuilder); 1900b57cec5SDimitry Andric rawOffsetVal = simplifiedOffsets.first; 1915ffd83dbSDimitry Andric Size = simplifiedOffsets.second; 1920b57cec5SDimitry Andric } 1930b57cec5SDimitry Andric 1940b57cec5SDimitry Andric SVal upperbound = svalBuilder.evalBinOpNN(state, BO_GE, rawOffsetVal, 1955ffd83dbSDimitry Andric Size.castAs<NonLoc>(), 1960b57cec5SDimitry Andric svalBuilder.getConditionType()); 1970b57cec5SDimitry Andric 198*bdd1243dSDimitry Andric std::optional<NonLoc> upperboundToCheck = upperbound.getAs<NonLoc>(); 1990b57cec5SDimitry Andric if (!upperboundToCheck) 2000b57cec5SDimitry Andric break; 2010b57cec5SDimitry Andric 2020b57cec5SDimitry Andric ProgramStateRef state_exceedsUpperBound, state_withinUpperBound; 2030b57cec5SDimitry Andric std::tie(state_exceedsUpperBound, state_withinUpperBound) = 2040b57cec5SDimitry Andric state->assume(*upperboundToCheck); 2050b57cec5SDimitry Andric 2060b57cec5SDimitry Andric // If we are under constrained and the index variables are tainted, report. 2070b57cec5SDimitry Andric if (state_exceedsUpperBound && state_withinUpperBound) { 2080b57cec5SDimitry Andric SVal ByteOffset = rawOffset.getByteOffset(); 2090b57cec5SDimitry Andric if (isTainted(state, ByteOffset)) { 2100b57cec5SDimitry Andric reportOOB(checkerContext, state_exceedsUpperBound, OOB_Tainted, 211a7dea167SDimitry Andric std::make_unique<TaintBugVisitor>(ByteOffset)); 2120b57cec5SDimitry Andric return; 2130b57cec5SDimitry Andric } 2140b57cec5SDimitry Andric } else if (state_exceedsUpperBound) { 2150b57cec5SDimitry Andric // If we are constrained enough to definitely exceed the upper bound, 2160b57cec5SDimitry Andric // report. 2170b57cec5SDimitry Andric assert(!state_withinUpperBound); 2180b57cec5SDimitry Andric reportOOB(checkerContext, state_exceedsUpperBound, OOB_Excedes); 2190b57cec5SDimitry Andric return; 2200b57cec5SDimitry Andric } 2210b57cec5SDimitry Andric 2220b57cec5SDimitry Andric assert(state_withinUpperBound); 2230b57cec5SDimitry Andric state = state_withinUpperBound; 2240b57cec5SDimitry Andric } 2250b57cec5SDimitry Andric while (false); 2260b57cec5SDimitry Andric 2270b57cec5SDimitry Andric checkerContext.addTransition(state); 2280b57cec5SDimitry Andric } 2290b57cec5SDimitry Andric 2300b57cec5SDimitry Andric void ArrayBoundCheckerV2::reportOOB( 2310b57cec5SDimitry Andric CheckerContext &checkerContext, ProgramStateRef errorState, OOB_Kind kind, 2320b57cec5SDimitry Andric std::unique_ptr<BugReporterVisitor> Visitor) const { 2330b57cec5SDimitry Andric 2340b57cec5SDimitry Andric ExplodedNode *errorNode = checkerContext.generateErrorNode(errorState); 2350b57cec5SDimitry Andric if (!errorNode) 2360b57cec5SDimitry Andric return; 2370b57cec5SDimitry Andric 2380b57cec5SDimitry Andric if (!BT) 2390b57cec5SDimitry Andric BT.reset(new BuiltinBug(this, "Out-of-bound access")); 2400b57cec5SDimitry Andric 2410b57cec5SDimitry Andric // FIXME: This diagnostics are preliminary. We should get far better 2420b57cec5SDimitry Andric // diagnostics for explaining buffer overruns. 2430b57cec5SDimitry Andric 2440b57cec5SDimitry Andric SmallString<256> buf; 2450b57cec5SDimitry Andric llvm::raw_svector_ostream os(buf); 2460b57cec5SDimitry Andric os << "Out of bound memory access "; 2470b57cec5SDimitry Andric switch (kind) { 2480b57cec5SDimitry Andric case OOB_Precedes: 2490b57cec5SDimitry Andric os << "(accessed memory precedes memory block)"; 2500b57cec5SDimitry Andric break; 2510b57cec5SDimitry Andric case OOB_Excedes: 2520b57cec5SDimitry Andric os << "(access exceeds upper limit of memory block)"; 2530b57cec5SDimitry Andric break; 2540b57cec5SDimitry Andric case OOB_Tainted: 2550b57cec5SDimitry Andric os << "(index is tainted)"; 2560b57cec5SDimitry Andric break; 2570b57cec5SDimitry Andric } 2580b57cec5SDimitry Andric 259a7dea167SDimitry Andric auto BR = std::make_unique<PathSensitiveBugReport>(*BT, os.str(), errorNode); 2600b57cec5SDimitry Andric BR->addVisitor(std::move(Visitor)); 2610b57cec5SDimitry Andric checkerContext.emitReport(std::move(BR)); 2620b57cec5SDimitry Andric } 2630b57cec5SDimitry Andric 2640b57cec5SDimitry Andric #ifndef NDEBUG 2650b57cec5SDimitry Andric LLVM_DUMP_METHOD void RegionRawOffsetV2::dump() const { 2660b57cec5SDimitry Andric dumpToStream(llvm::errs()); 2670b57cec5SDimitry Andric } 2680b57cec5SDimitry Andric 2690b57cec5SDimitry Andric void RegionRawOffsetV2::dumpToStream(raw_ostream &os) const { 2700b57cec5SDimitry Andric os << "raw_offset_v2{" << getRegion() << ',' << getByteOffset() << '}'; 2710b57cec5SDimitry Andric } 2720b57cec5SDimitry Andric #endif 2730b57cec5SDimitry Andric 2740b57cec5SDimitry Andric // Lazily computes a value to be used by 'computeOffset'. If 'val' 2750b57cec5SDimitry Andric // is unknown or undefined, we lazily substitute '0'. Otherwise, 2760b57cec5SDimitry Andric // return 'val'. 2770b57cec5SDimitry Andric static inline SVal getValue(SVal val, SValBuilder &svalBuilder) { 27881ad6265SDimitry Andric return val.isUndef() ? svalBuilder.makeZeroArrayIndex() : val; 2790b57cec5SDimitry Andric } 2800b57cec5SDimitry Andric 2810b57cec5SDimitry Andric // Scale a base value by a scaling factor, and return the scaled 2820b57cec5SDimitry Andric // value as an SVal. Used by 'computeOffset'. 2830b57cec5SDimitry Andric static inline SVal scaleValue(ProgramStateRef state, 2840b57cec5SDimitry Andric NonLoc baseVal, CharUnits scaling, 2850b57cec5SDimitry Andric SValBuilder &sb) { 2860b57cec5SDimitry Andric return sb.evalBinOpNN(state, BO_Mul, baseVal, 2870b57cec5SDimitry Andric sb.makeArrayIndex(scaling.getQuantity()), 2880b57cec5SDimitry Andric sb.getArrayIndexType()); 2890b57cec5SDimitry Andric } 2900b57cec5SDimitry Andric 2910b57cec5SDimitry Andric // Add an SVal to another, treating unknown and undefined values as 2920b57cec5SDimitry Andric // summing to UnknownVal. Used by 'computeOffset'. 2930b57cec5SDimitry Andric static SVal addValue(ProgramStateRef state, SVal x, SVal y, 2940b57cec5SDimitry Andric SValBuilder &svalBuilder) { 2950b57cec5SDimitry Andric // We treat UnknownVals and UndefinedVals the same here because we 2960b57cec5SDimitry Andric // only care about computing offsets. 2970b57cec5SDimitry Andric if (x.isUnknownOrUndef() || y.isUnknownOrUndef()) 2980b57cec5SDimitry Andric return UnknownVal(); 2990b57cec5SDimitry Andric 3000b57cec5SDimitry Andric return svalBuilder.evalBinOpNN(state, BO_Add, x.castAs<NonLoc>(), 3010b57cec5SDimitry Andric y.castAs<NonLoc>(), 3020b57cec5SDimitry Andric svalBuilder.getArrayIndexType()); 3030b57cec5SDimitry Andric } 3040b57cec5SDimitry Andric 3050b57cec5SDimitry Andric /// Compute a raw byte offset from a base region. Used for array bounds 3060b57cec5SDimitry Andric /// checking. 3070b57cec5SDimitry Andric RegionRawOffsetV2 RegionRawOffsetV2::computeOffset(ProgramStateRef state, 3080b57cec5SDimitry Andric SValBuilder &svalBuilder, 3090b57cec5SDimitry Andric SVal location) 3100b57cec5SDimitry Andric { 3110b57cec5SDimitry Andric const MemRegion *region = location.getAsRegion(); 3120b57cec5SDimitry Andric SVal offset = UndefinedVal(); 3130b57cec5SDimitry Andric 3140b57cec5SDimitry Andric while (region) { 3150b57cec5SDimitry Andric switch (region->getKind()) { 3160b57cec5SDimitry Andric default: { 3170b57cec5SDimitry Andric if (const SubRegion *subReg = dyn_cast<SubRegion>(region)) { 3180b57cec5SDimitry Andric offset = getValue(offset, svalBuilder); 3190b57cec5SDimitry Andric if (!offset.isUnknownOrUndef()) 3200b57cec5SDimitry Andric return RegionRawOffsetV2(subReg, offset); 3210b57cec5SDimitry Andric } 3220b57cec5SDimitry Andric return RegionRawOffsetV2(); 3230b57cec5SDimitry Andric } 3240b57cec5SDimitry Andric case MemRegion::ElementRegionKind: { 3250b57cec5SDimitry Andric const ElementRegion *elemReg = cast<ElementRegion>(region); 3260b57cec5SDimitry Andric SVal index = elemReg->getIndex(); 32781ad6265SDimitry Andric if (!isa<NonLoc>(index)) 3280b57cec5SDimitry Andric return RegionRawOffsetV2(); 3290b57cec5SDimitry Andric QualType elemType = elemReg->getElementType(); 3300b57cec5SDimitry Andric // If the element is an incomplete type, go no further. 3310b57cec5SDimitry Andric ASTContext &astContext = svalBuilder.getContext(); 3320b57cec5SDimitry Andric if (elemType->isIncompleteType()) 3330b57cec5SDimitry Andric return RegionRawOffsetV2(); 3340b57cec5SDimitry Andric 3350b57cec5SDimitry Andric // Update the offset. 3360b57cec5SDimitry Andric offset = addValue(state, 3370b57cec5SDimitry Andric getValue(offset, svalBuilder), 3380b57cec5SDimitry Andric scaleValue(state, 3390b57cec5SDimitry Andric index.castAs<NonLoc>(), 3400b57cec5SDimitry Andric astContext.getTypeSizeInChars(elemType), 3410b57cec5SDimitry Andric svalBuilder), 3420b57cec5SDimitry Andric svalBuilder); 3430b57cec5SDimitry Andric 3440b57cec5SDimitry Andric if (offset.isUnknownOrUndef()) 3450b57cec5SDimitry Andric return RegionRawOffsetV2(); 3460b57cec5SDimitry Andric 3470b57cec5SDimitry Andric region = elemReg->getSuperRegion(); 3480b57cec5SDimitry Andric continue; 3490b57cec5SDimitry Andric } 3500b57cec5SDimitry Andric } 3510b57cec5SDimitry Andric } 3520b57cec5SDimitry Andric return RegionRawOffsetV2(); 3530b57cec5SDimitry Andric } 3540b57cec5SDimitry Andric 3550b57cec5SDimitry Andric void ento::registerArrayBoundCheckerV2(CheckerManager &mgr) { 3560b57cec5SDimitry Andric mgr.registerChecker<ArrayBoundCheckerV2>(); 3570b57cec5SDimitry Andric } 3580b57cec5SDimitry Andric 3595ffd83dbSDimitry Andric bool ento::shouldRegisterArrayBoundCheckerV2(const CheckerManager &mgr) { 3600b57cec5SDimitry Andric return true; 3610b57cec5SDimitry Andric } 362