10b57cec5SDimitry Andric //== ArrayBoundCheckerV2.cpp ------------------------------------*- C++ -*--==// 20b57cec5SDimitry Andric // 30b57cec5SDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 40b57cec5SDimitry Andric // See https://llvm.org/LICENSE.txt for license information. 50b57cec5SDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 60b57cec5SDimitry Andric // 70b57cec5SDimitry Andric //===----------------------------------------------------------------------===// 80b57cec5SDimitry Andric // 90b57cec5SDimitry Andric // This file defines ArrayBoundCheckerV2, which is a path-sensitive check 100b57cec5SDimitry Andric // which looks for an out-of-bound array element access. 110b57cec5SDimitry Andric // 120b57cec5SDimitry Andric //===----------------------------------------------------------------------===// 130b57cec5SDimitry Andric 140b57cec5SDimitry Andric #include "Taint.h" 150b57cec5SDimitry Andric #include "clang/AST/CharUnits.h" 165ffd83dbSDimitry Andric #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 170b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 180b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/Checker.h" 190b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/CheckerManager.h" 200b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h" 210b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 22*fe6060f1SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h" 230b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 240b57cec5SDimitry Andric #include "llvm/ADT/SmallString.h" 250b57cec5SDimitry Andric #include "llvm/Support/raw_ostream.h" 260b57cec5SDimitry Andric 270b57cec5SDimitry Andric using namespace clang; 280b57cec5SDimitry Andric using namespace ento; 290b57cec5SDimitry Andric using namespace taint; 300b57cec5SDimitry Andric 310b57cec5SDimitry Andric namespace { 320b57cec5SDimitry Andric class ArrayBoundCheckerV2 : 330b57cec5SDimitry Andric public Checker<check::Location> { 340b57cec5SDimitry Andric mutable std::unique_ptr<BuiltinBug> BT; 350b57cec5SDimitry Andric 360b57cec5SDimitry Andric enum OOB_Kind { OOB_Precedes, OOB_Excedes, OOB_Tainted }; 370b57cec5SDimitry Andric 380b57cec5SDimitry Andric void reportOOB(CheckerContext &C, ProgramStateRef errorState, OOB_Kind kind, 390b57cec5SDimitry Andric std::unique_ptr<BugReporterVisitor> Visitor = nullptr) const; 400b57cec5SDimitry Andric 410b57cec5SDimitry Andric public: 420b57cec5SDimitry Andric void checkLocation(SVal l, bool isLoad, const Stmt*S, 430b57cec5SDimitry Andric CheckerContext &C) const; 440b57cec5SDimitry Andric }; 450b57cec5SDimitry Andric 460b57cec5SDimitry Andric // FIXME: Eventually replace RegionRawOffset with this class. 470b57cec5SDimitry Andric class RegionRawOffsetV2 { 480b57cec5SDimitry Andric private: 490b57cec5SDimitry Andric const SubRegion *baseRegion; 500b57cec5SDimitry Andric SVal byteOffset; 510b57cec5SDimitry Andric 520b57cec5SDimitry Andric RegionRawOffsetV2() 530b57cec5SDimitry Andric : baseRegion(nullptr), byteOffset(UnknownVal()) {} 540b57cec5SDimitry Andric 550b57cec5SDimitry Andric public: 560b57cec5SDimitry Andric RegionRawOffsetV2(const SubRegion* base, SVal offset) 570b57cec5SDimitry Andric : baseRegion(base), byteOffset(offset) {} 580b57cec5SDimitry Andric 590b57cec5SDimitry Andric NonLoc getByteOffset() const { return byteOffset.castAs<NonLoc>(); } 600b57cec5SDimitry Andric const SubRegion *getRegion() const { return baseRegion; } 610b57cec5SDimitry Andric 620b57cec5SDimitry Andric static RegionRawOffsetV2 computeOffset(ProgramStateRef state, 630b57cec5SDimitry Andric SValBuilder &svalBuilder, 640b57cec5SDimitry Andric SVal location); 650b57cec5SDimitry Andric 660b57cec5SDimitry Andric void dump() const; 670b57cec5SDimitry Andric void dumpToStream(raw_ostream &os) const; 680b57cec5SDimitry Andric }; 690b57cec5SDimitry Andric } 700b57cec5SDimitry Andric 710b57cec5SDimitry Andric static SVal computeExtentBegin(SValBuilder &svalBuilder, 720b57cec5SDimitry Andric const MemRegion *region) { 730b57cec5SDimitry Andric const MemSpaceRegion *SR = region->getMemorySpace(); 740b57cec5SDimitry Andric if (SR->getKind() == MemRegion::UnknownSpaceRegionKind) 750b57cec5SDimitry Andric return UnknownVal(); 760b57cec5SDimitry Andric else 770b57cec5SDimitry Andric return svalBuilder.makeZeroArrayIndex(); 780b57cec5SDimitry Andric } 790b57cec5SDimitry Andric 800b57cec5SDimitry Andric // TODO: once the constraint manager is smart enough to handle non simplified 810b57cec5SDimitry Andric // symbolic expressions remove this function. Note that this can not be used in 820b57cec5SDimitry Andric // the constraint manager as is, since this does not handle overflows. It is 830b57cec5SDimitry Andric // safe to assume, however, that memory offsets will not overflow. 840b57cec5SDimitry Andric static std::pair<NonLoc, nonloc::ConcreteInt> 850b57cec5SDimitry Andric getSimplifiedOffsets(NonLoc offset, nonloc::ConcreteInt extent, 860b57cec5SDimitry Andric SValBuilder &svalBuilder) { 870b57cec5SDimitry Andric Optional<nonloc::SymbolVal> SymVal = offset.getAs<nonloc::SymbolVal>(); 880b57cec5SDimitry Andric if (SymVal && SymVal->isExpression()) { 890b57cec5SDimitry Andric if (const SymIntExpr *SIE = dyn_cast<SymIntExpr>(SymVal->getSymbol())) { 900b57cec5SDimitry Andric llvm::APSInt constant = 910b57cec5SDimitry Andric APSIntType(extent.getValue()).convert(SIE->getRHS()); 920b57cec5SDimitry Andric switch (SIE->getOpcode()) { 930b57cec5SDimitry Andric case BO_Mul: 940b57cec5SDimitry Andric // The constant should never be 0 here, since it the result of scaling 950b57cec5SDimitry Andric // based on the size of a type which is never 0. 960b57cec5SDimitry Andric if ((extent.getValue() % constant) != 0) 970b57cec5SDimitry Andric return std::pair<NonLoc, nonloc::ConcreteInt>(offset, extent); 980b57cec5SDimitry Andric else 990b57cec5SDimitry Andric return getSimplifiedOffsets( 1000b57cec5SDimitry Andric nonloc::SymbolVal(SIE->getLHS()), 1010b57cec5SDimitry Andric svalBuilder.makeIntVal(extent.getValue() / constant), 1020b57cec5SDimitry Andric svalBuilder); 1030b57cec5SDimitry Andric case BO_Add: 1040b57cec5SDimitry Andric return getSimplifiedOffsets( 1050b57cec5SDimitry Andric nonloc::SymbolVal(SIE->getLHS()), 1060b57cec5SDimitry Andric svalBuilder.makeIntVal(extent.getValue() - constant), svalBuilder); 1070b57cec5SDimitry Andric default: 1080b57cec5SDimitry Andric break; 1090b57cec5SDimitry Andric } 1100b57cec5SDimitry Andric } 1110b57cec5SDimitry Andric } 1120b57cec5SDimitry Andric 1130b57cec5SDimitry Andric return std::pair<NonLoc, nonloc::ConcreteInt>(offset, extent); 1140b57cec5SDimitry Andric } 1150b57cec5SDimitry Andric 1160b57cec5SDimitry Andric void ArrayBoundCheckerV2::checkLocation(SVal location, bool isLoad, 1170b57cec5SDimitry Andric const Stmt* LoadS, 1180b57cec5SDimitry Andric CheckerContext &checkerContext) const { 1190b57cec5SDimitry Andric 1200b57cec5SDimitry Andric // NOTE: Instead of using ProgramState::assumeInBound(), we are prototyping 1210b57cec5SDimitry Andric // some new logic here that reasons directly about memory region extents. 1220b57cec5SDimitry Andric // Once that logic is more mature, we can bring it back to assumeInBound() 1230b57cec5SDimitry Andric // for all clients to use. 1240b57cec5SDimitry Andric // 1250b57cec5SDimitry Andric // The algorithm we are using here for bounds checking is to see if the 1260b57cec5SDimitry Andric // memory access is within the extent of the base region. Since we 1270b57cec5SDimitry Andric // have some flexibility in defining the base region, we can achieve 1280b57cec5SDimitry Andric // various levels of conservatism in our buffer overflow checking. 1290b57cec5SDimitry Andric ProgramStateRef state = checkerContext.getState(); 1300b57cec5SDimitry Andric 1310b57cec5SDimitry Andric SValBuilder &svalBuilder = checkerContext.getSValBuilder(); 1320b57cec5SDimitry Andric const RegionRawOffsetV2 &rawOffset = 1330b57cec5SDimitry Andric RegionRawOffsetV2::computeOffset(state, svalBuilder, location); 1340b57cec5SDimitry Andric 1350b57cec5SDimitry Andric if (!rawOffset.getRegion()) 1360b57cec5SDimitry Andric return; 1370b57cec5SDimitry Andric 1380b57cec5SDimitry Andric NonLoc rawOffsetVal = rawOffset.getByteOffset(); 1390b57cec5SDimitry Andric 1400b57cec5SDimitry Andric // CHECK LOWER BOUND: Is byteOffset < extent begin? 1410b57cec5SDimitry Andric // If so, we are doing a load/store 1420b57cec5SDimitry Andric // before the first valid offset in the memory region. 1430b57cec5SDimitry Andric 1440b57cec5SDimitry Andric SVal extentBegin = computeExtentBegin(svalBuilder, rawOffset.getRegion()); 1450b57cec5SDimitry Andric 1460b57cec5SDimitry Andric if (Optional<NonLoc> NV = extentBegin.getAs<NonLoc>()) { 1470b57cec5SDimitry Andric if (NV->getAs<nonloc::ConcreteInt>()) { 1480b57cec5SDimitry Andric std::pair<NonLoc, nonloc::ConcreteInt> simplifiedOffsets = 1490b57cec5SDimitry Andric getSimplifiedOffsets(rawOffset.getByteOffset(), 1500b57cec5SDimitry Andric NV->castAs<nonloc::ConcreteInt>(), 1510b57cec5SDimitry Andric svalBuilder); 1520b57cec5SDimitry Andric rawOffsetVal = simplifiedOffsets.first; 1530b57cec5SDimitry Andric *NV = simplifiedOffsets.second; 1540b57cec5SDimitry Andric } 1550b57cec5SDimitry Andric 1560b57cec5SDimitry Andric SVal lowerBound = svalBuilder.evalBinOpNN(state, BO_LT, rawOffsetVal, *NV, 1570b57cec5SDimitry Andric svalBuilder.getConditionType()); 1580b57cec5SDimitry Andric 1590b57cec5SDimitry Andric Optional<NonLoc> lowerBoundToCheck = lowerBound.getAs<NonLoc>(); 1600b57cec5SDimitry Andric if (!lowerBoundToCheck) 1610b57cec5SDimitry Andric return; 1620b57cec5SDimitry Andric 1630b57cec5SDimitry Andric ProgramStateRef state_precedesLowerBound, state_withinLowerBound; 1640b57cec5SDimitry Andric std::tie(state_precedesLowerBound, state_withinLowerBound) = 1650b57cec5SDimitry Andric state->assume(*lowerBoundToCheck); 1660b57cec5SDimitry Andric 1670b57cec5SDimitry Andric // Are we constrained enough to definitely precede the lower bound? 1680b57cec5SDimitry Andric if (state_precedesLowerBound && !state_withinLowerBound) { 1690b57cec5SDimitry Andric reportOOB(checkerContext, state_precedesLowerBound, OOB_Precedes); 1700b57cec5SDimitry Andric return; 1710b57cec5SDimitry Andric } 1720b57cec5SDimitry Andric 1730b57cec5SDimitry Andric // Otherwise, assume the constraint of the lower bound. 1740b57cec5SDimitry Andric assert(state_withinLowerBound); 1750b57cec5SDimitry Andric state = state_withinLowerBound; 1760b57cec5SDimitry Andric } 1770b57cec5SDimitry Andric 1780b57cec5SDimitry Andric do { 1795ffd83dbSDimitry Andric // CHECK UPPER BOUND: Is byteOffset >= size(baseRegion)? If so, 1800b57cec5SDimitry Andric // we are doing a load/store after the last valid offset. 1815ffd83dbSDimitry Andric const MemRegion *MR = rawOffset.getRegion(); 182*fe6060f1SDimitry Andric DefinedOrUnknownSVal Size = getDynamicExtent(state, MR, svalBuilder); 1835ffd83dbSDimitry Andric if (!Size.getAs<NonLoc>()) 1840b57cec5SDimitry Andric break; 1850b57cec5SDimitry Andric 1865ffd83dbSDimitry Andric if (Size.getAs<nonloc::ConcreteInt>()) { 1870b57cec5SDimitry Andric std::pair<NonLoc, nonloc::ConcreteInt> simplifiedOffsets = 1880b57cec5SDimitry Andric getSimplifiedOffsets(rawOffset.getByteOffset(), 1895ffd83dbSDimitry Andric Size.castAs<nonloc::ConcreteInt>(), svalBuilder); 1900b57cec5SDimitry Andric rawOffsetVal = simplifiedOffsets.first; 1915ffd83dbSDimitry Andric Size = simplifiedOffsets.second; 1920b57cec5SDimitry Andric } 1930b57cec5SDimitry Andric 1940b57cec5SDimitry Andric SVal upperbound = svalBuilder.evalBinOpNN(state, BO_GE, rawOffsetVal, 1955ffd83dbSDimitry Andric Size.castAs<NonLoc>(), 1960b57cec5SDimitry Andric svalBuilder.getConditionType()); 1970b57cec5SDimitry Andric 1980b57cec5SDimitry Andric Optional<NonLoc> upperboundToCheck = upperbound.getAs<NonLoc>(); 1990b57cec5SDimitry Andric if (!upperboundToCheck) 2000b57cec5SDimitry Andric break; 2010b57cec5SDimitry Andric 2020b57cec5SDimitry Andric ProgramStateRef state_exceedsUpperBound, state_withinUpperBound; 2030b57cec5SDimitry Andric std::tie(state_exceedsUpperBound, state_withinUpperBound) = 2040b57cec5SDimitry Andric state->assume(*upperboundToCheck); 2050b57cec5SDimitry Andric 2060b57cec5SDimitry Andric // If we are under constrained and the index variables are tainted, report. 2070b57cec5SDimitry Andric if (state_exceedsUpperBound && state_withinUpperBound) { 2080b57cec5SDimitry Andric SVal ByteOffset = rawOffset.getByteOffset(); 2090b57cec5SDimitry Andric if (isTainted(state, ByteOffset)) { 2100b57cec5SDimitry Andric reportOOB(checkerContext, state_exceedsUpperBound, OOB_Tainted, 211a7dea167SDimitry Andric std::make_unique<TaintBugVisitor>(ByteOffset)); 2120b57cec5SDimitry Andric return; 2130b57cec5SDimitry Andric } 2140b57cec5SDimitry Andric } else if (state_exceedsUpperBound) { 2150b57cec5SDimitry Andric // If we are constrained enough to definitely exceed the upper bound, 2160b57cec5SDimitry Andric // report. 2170b57cec5SDimitry Andric assert(!state_withinUpperBound); 2180b57cec5SDimitry Andric reportOOB(checkerContext, state_exceedsUpperBound, OOB_Excedes); 2190b57cec5SDimitry Andric return; 2200b57cec5SDimitry Andric } 2210b57cec5SDimitry Andric 2220b57cec5SDimitry Andric assert(state_withinUpperBound); 2230b57cec5SDimitry Andric state = state_withinUpperBound; 2240b57cec5SDimitry Andric } 2250b57cec5SDimitry Andric while (false); 2260b57cec5SDimitry Andric 2270b57cec5SDimitry Andric checkerContext.addTransition(state); 2280b57cec5SDimitry Andric } 2290b57cec5SDimitry Andric 2300b57cec5SDimitry Andric void ArrayBoundCheckerV2::reportOOB( 2310b57cec5SDimitry Andric CheckerContext &checkerContext, ProgramStateRef errorState, OOB_Kind kind, 2320b57cec5SDimitry Andric std::unique_ptr<BugReporterVisitor> Visitor) const { 2330b57cec5SDimitry Andric 2340b57cec5SDimitry Andric ExplodedNode *errorNode = checkerContext.generateErrorNode(errorState); 2350b57cec5SDimitry Andric if (!errorNode) 2360b57cec5SDimitry Andric return; 2370b57cec5SDimitry Andric 2380b57cec5SDimitry Andric if (!BT) 2390b57cec5SDimitry Andric BT.reset(new BuiltinBug(this, "Out-of-bound access")); 2400b57cec5SDimitry Andric 2410b57cec5SDimitry Andric // FIXME: This diagnostics are preliminary. We should get far better 2420b57cec5SDimitry Andric // diagnostics for explaining buffer overruns. 2430b57cec5SDimitry Andric 2440b57cec5SDimitry Andric SmallString<256> buf; 2450b57cec5SDimitry Andric llvm::raw_svector_ostream os(buf); 2460b57cec5SDimitry Andric os << "Out of bound memory access "; 2470b57cec5SDimitry Andric switch (kind) { 2480b57cec5SDimitry Andric case OOB_Precedes: 2490b57cec5SDimitry Andric os << "(accessed memory precedes memory block)"; 2500b57cec5SDimitry Andric break; 2510b57cec5SDimitry Andric case OOB_Excedes: 2520b57cec5SDimitry Andric os << "(access exceeds upper limit of memory block)"; 2530b57cec5SDimitry Andric break; 2540b57cec5SDimitry Andric case OOB_Tainted: 2550b57cec5SDimitry Andric os << "(index is tainted)"; 2560b57cec5SDimitry Andric break; 2570b57cec5SDimitry Andric } 2580b57cec5SDimitry Andric 259a7dea167SDimitry Andric auto BR = std::make_unique<PathSensitiveBugReport>(*BT, os.str(), errorNode); 2600b57cec5SDimitry Andric BR->addVisitor(std::move(Visitor)); 2610b57cec5SDimitry Andric checkerContext.emitReport(std::move(BR)); 2620b57cec5SDimitry Andric } 2630b57cec5SDimitry Andric 2640b57cec5SDimitry Andric #ifndef NDEBUG 2650b57cec5SDimitry Andric LLVM_DUMP_METHOD void RegionRawOffsetV2::dump() const { 2660b57cec5SDimitry Andric dumpToStream(llvm::errs()); 2670b57cec5SDimitry Andric } 2680b57cec5SDimitry Andric 2690b57cec5SDimitry Andric void RegionRawOffsetV2::dumpToStream(raw_ostream &os) const { 2700b57cec5SDimitry Andric os << "raw_offset_v2{" << getRegion() << ',' << getByteOffset() << '}'; 2710b57cec5SDimitry Andric } 2720b57cec5SDimitry Andric #endif 2730b57cec5SDimitry Andric 2740b57cec5SDimitry Andric // Lazily computes a value to be used by 'computeOffset'. If 'val' 2750b57cec5SDimitry Andric // is unknown or undefined, we lazily substitute '0'. Otherwise, 2760b57cec5SDimitry Andric // return 'val'. 2770b57cec5SDimitry Andric static inline SVal getValue(SVal val, SValBuilder &svalBuilder) { 2780b57cec5SDimitry Andric return val.getAs<UndefinedVal>() ? svalBuilder.makeArrayIndex(0) : val; 2790b57cec5SDimitry Andric } 2800b57cec5SDimitry Andric 2810b57cec5SDimitry Andric // Scale a base value by a scaling factor, and return the scaled 2820b57cec5SDimitry Andric // value as an SVal. Used by 'computeOffset'. 2830b57cec5SDimitry Andric static inline SVal scaleValue(ProgramStateRef state, 2840b57cec5SDimitry Andric NonLoc baseVal, CharUnits scaling, 2850b57cec5SDimitry Andric SValBuilder &sb) { 2860b57cec5SDimitry Andric return sb.evalBinOpNN(state, BO_Mul, baseVal, 2870b57cec5SDimitry Andric sb.makeArrayIndex(scaling.getQuantity()), 2880b57cec5SDimitry Andric sb.getArrayIndexType()); 2890b57cec5SDimitry Andric } 2900b57cec5SDimitry Andric 2910b57cec5SDimitry Andric // Add an SVal to another, treating unknown and undefined values as 2920b57cec5SDimitry Andric // summing to UnknownVal. Used by 'computeOffset'. 2930b57cec5SDimitry Andric static SVal addValue(ProgramStateRef state, SVal x, SVal y, 2940b57cec5SDimitry Andric SValBuilder &svalBuilder) { 2950b57cec5SDimitry Andric // We treat UnknownVals and UndefinedVals the same here because we 2960b57cec5SDimitry Andric // only care about computing offsets. 2970b57cec5SDimitry Andric if (x.isUnknownOrUndef() || y.isUnknownOrUndef()) 2980b57cec5SDimitry Andric return UnknownVal(); 2990b57cec5SDimitry Andric 3000b57cec5SDimitry Andric return svalBuilder.evalBinOpNN(state, BO_Add, x.castAs<NonLoc>(), 3010b57cec5SDimitry Andric y.castAs<NonLoc>(), 3020b57cec5SDimitry Andric svalBuilder.getArrayIndexType()); 3030b57cec5SDimitry Andric } 3040b57cec5SDimitry Andric 3050b57cec5SDimitry Andric /// Compute a raw byte offset from a base region. Used for array bounds 3060b57cec5SDimitry Andric /// checking. 3070b57cec5SDimitry Andric RegionRawOffsetV2 RegionRawOffsetV2::computeOffset(ProgramStateRef state, 3080b57cec5SDimitry Andric SValBuilder &svalBuilder, 3090b57cec5SDimitry Andric SVal location) 3100b57cec5SDimitry Andric { 3110b57cec5SDimitry Andric const MemRegion *region = location.getAsRegion(); 3120b57cec5SDimitry Andric SVal offset = UndefinedVal(); 3130b57cec5SDimitry Andric 3140b57cec5SDimitry Andric while (region) { 3150b57cec5SDimitry Andric switch (region->getKind()) { 3160b57cec5SDimitry Andric default: { 3170b57cec5SDimitry Andric if (const SubRegion *subReg = dyn_cast<SubRegion>(region)) { 3180b57cec5SDimitry Andric offset = getValue(offset, svalBuilder); 3190b57cec5SDimitry Andric if (!offset.isUnknownOrUndef()) 3200b57cec5SDimitry Andric return RegionRawOffsetV2(subReg, offset); 3210b57cec5SDimitry Andric } 3220b57cec5SDimitry Andric return RegionRawOffsetV2(); 3230b57cec5SDimitry Andric } 3240b57cec5SDimitry Andric case MemRegion::ElementRegionKind: { 3250b57cec5SDimitry Andric const ElementRegion *elemReg = cast<ElementRegion>(region); 3260b57cec5SDimitry Andric SVal index = elemReg->getIndex(); 3270b57cec5SDimitry Andric if (!index.getAs<NonLoc>()) 3280b57cec5SDimitry Andric return RegionRawOffsetV2(); 3290b57cec5SDimitry Andric QualType elemType = elemReg->getElementType(); 3300b57cec5SDimitry Andric // If the element is an incomplete type, go no further. 3310b57cec5SDimitry Andric ASTContext &astContext = svalBuilder.getContext(); 3320b57cec5SDimitry Andric if (elemType->isIncompleteType()) 3330b57cec5SDimitry Andric return RegionRawOffsetV2(); 3340b57cec5SDimitry Andric 3350b57cec5SDimitry Andric // Update the offset. 3360b57cec5SDimitry Andric offset = addValue(state, 3370b57cec5SDimitry Andric getValue(offset, svalBuilder), 3380b57cec5SDimitry Andric scaleValue(state, 3390b57cec5SDimitry Andric index.castAs<NonLoc>(), 3400b57cec5SDimitry Andric astContext.getTypeSizeInChars(elemType), 3410b57cec5SDimitry Andric svalBuilder), 3420b57cec5SDimitry Andric svalBuilder); 3430b57cec5SDimitry Andric 3440b57cec5SDimitry Andric if (offset.isUnknownOrUndef()) 3450b57cec5SDimitry Andric return RegionRawOffsetV2(); 3460b57cec5SDimitry Andric 3470b57cec5SDimitry Andric region = elemReg->getSuperRegion(); 3480b57cec5SDimitry Andric continue; 3490b57cec5SDimitry Andric } 3500b57cec5SDimitry Andric } 3510b57cec5SDimitry Andric } 3520b57cec5SDimitry Andric return RegionRawOffsetV2(); 3530b57cec5SDimitry Andric } 3540b57cec5SDimitry Andric 3550b57cec5SDimitry Andric void ento::registerArrayBoundCheckerV2(CheckerManager &mgr) { 3560b57cec5SDimitry Andric mgr.registerChecker<ArrayBoundCheckerV2>(); 3570b57cec5SDimitry Andric } 3580b57cec5SDimitry Andric 3595ffd83dbSDimitry Andric bool ento::shouldRegisterArrayBoundCheckerV2(const CheckerManager &mgr) { 3600b57cec5SDimitry Andric return true; 3610b57cec5SDimitry Andric } 362