[analyzer] Push "references are non-null" knowledge up to the common parent.

This reduces duplication across the Basic and Range constraint managers, and
keeps their internals free of dealing with the semantics of C++. It's still
a little unfortunate that the constraint manager is dealing with this at all,
but this is pretty much the only place to put it so that it will apply to all
symbolic values, even when embedded in larger expressions.

llvm-svn: 162313

clang/lib/StaticAnalyzer/Core/BasicConstraintManager.cpp

@@ -363,11 +363,6 @@ const llvm::APSInt* BasicConstraintManager::getSymVal(ProgramStateRef state,
 bool BasicConstraintManager::isNotEqual(ProgramStateRef state,
                                         SymbolRef sym,
                                         const llvm::APSInt& V) const {
-  // Special case: references are known to be non-zero.
-  if (sym->getType(getBasicVals().getContext())->isReferenceType())
-    if (V == 0)
-      return true;
-
   // Retrieve the NE-set associated with the given symbol.
   const ConstNotEqTy::data_type* T = state->get<ConstNotEq>(sym);
 

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp

@@ -380,17 +380,7 @@ RangeConstraintManager::GetRange(ProgramStateRef state, SymbolRef sym) {
   // given symbol type.
   BasicValueFactory &BV = getBasicVals();
   QualType T = sym->getType(BV.getContext());
-
-  RangeSet Result(F, BV.getMinValue(T), BV.getMaxValue(T));
-
-  // Special case: references are known to be non-zero.
-  if (T->isReferenceType()) {
-    APSIntType IntType = BV.getAPSIntType(T);
-    Result = Result.Intersect(BV, F, ++IntType.getZeroValue(),
-                                     --IntType.getZeroValue());
-  }
-
-  return Result;
+  return RangeSet(F, BV.getMinValue(T), BV.getMaxValue(T));
 }
 
 //===------------------------------------------------------------------------===

clang/lib/StaticAnalyzer/Core/SimpleConstraintManager.cpp

@@ -84,14 +84,9 @@ ProgramStateRef SimpleConstraintManager::assumeAux(ProgramStateRef state,
     const SubRegion *SubR = dyn_cast<SubRegion>(R);
 
     while (SubR) {
-      // FIXME: now we only find the first symbolic region.
-      if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(SubR)) {
-        const llvm::APSInt &zero = getBasicVals().getZeroWithPtrWidth();
-        if (Assumption)
-          return assumeSymNE(state, SymR->getSymbol(), zero, zero);
-        else
-          return assumeSymEQ(state, SymR->getSymbol(), zero, zero);
-      }
+      if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(SubR))
+        return assumeAuxForSymbol(state, SymR->getSymbol(), Assumption);
+
       SubR = dyn_cast<SubRegion>(SubR->getSuperRegion());
     }
 
@@ -138,10 +133,13 @@ SimpleConstraintManager::assumeAuxForSymbol(ProgramStateRef State,
   BasicValueFactory &BVF = getBasicVals();
   QualType T = Sym->getType(BVF.getContext());
 
-  // None of the constraint solvers currently support non-integer types.
-  if (!T->isIntegerType())
+  // Don't do anything if this isn't a type we can constrain.
+  if (!(T->isIntegralOrEnumerationType() || Loc::isLocType(T)))
     return State;
 
+  if (T->isReferenceType())
+    return Assumption ? State : NULL;
+
   const llvm::APSInt &zero = BVF.getValue(0, T);
   if (Assumption)
     return assumeSymNE(State, Sym, zero, zero);
@@ -161,8 +159,6 @@ ProgramStateRef SimpleConstraintManager::assumeAux(ProgramStateRef state,
     return assumeAuxForSymbol(state, sym, Assumption);
   }
 
-  BasicValueFactory &BasicVals = getBasicVals();
-
   switch (Cond.getSubKind()) {
   default:
     llvm_unreachable("'Assume' not implemented for this NonLoc");
@@ -185,12 +181,9 @@ ProgramStateRef SimpleConstraintManager::assumeAux(ProgramStateRef state,
 
       BinaryOperator::Opcode op = SE->getOpcode();
       // Implicitly compare non-comparison expressions to 0.
-      if (!BinaryOperator::isComparisonOp(op)) {
-        QualType T = SE->getType(BasicVals.getContext());
-        const llvm::APSInt &zero = BasicVals.getValue(0, T);
-        op = (Assumption ? BO_NE : BO_EQ);
-        return assumeSymRel(state, SE, op, zero);
-      }
+      if (!BinaryOperator::isComparisonOp(op))
+        return assumeAuxForSymbol(state, SE, Assumption);
+
       // From here on out, op is the real comparison we'll be testing.
       if (!Assumption)
         op = NegateComparison(op);
@@ -238,8 +231,25 @@ ProgramStateRef SimpleConstraintManager::assumeSymRel(ProgramStateRef state,
   BasicValueFactory &BVF = getBasicVals();
   ASTContext &Ctx = BVF.getContext();
 
+  // Special case for references, which cannot be null.
+  QualType Ty = LHS->getType(Ctx);
+  if (Ty->isReferenceType() && Int == 0) {
+    switch (op) {
+    case BO_EQ:
+    case BO_LE:
+    case BO_LT:
+      return NULL;
+    case BO_NE:
+    case BO_GT:
+    case BO_GE:
+      return state;
+    default:
+      llvm_unreachable("We should only be handling comparisons here.");
+    }
+  }
+
   // Get the type used for calculating wraparound.
-  APSIntType WraparoundType = BVF.getAPSIntType(LHS->getType(Ctx));
+  APSIntType WraparoundType = BVF.getAPSIntType(Ty);
 
   // We only handle simple comparisons of the form "$sym == constant"
   // or "($sym+constant1) == constant2".

clang/test/Analysis/reference.cpp

@@ -119,6 +119,9 @@ void testReferenceAddress(int &x) {
 
   extern S *getS();
   clang_analyzer_eval(&getS()->x != 0); // expected-warning{{TRUE}}
+
+  // This actually takes a different path, because it's not a BinaryOperator.
+  clang_analyzer_eval(&getS()->x); // expected-warning{{TRUE}}
 }