BasicStore.cpp 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594
  1. //== BasicStore.cpp - Basic map from Locations to Values --------*- C++ -*--==//
  2. //
  3. // The LLVM Compiler Infrastructure
  4. //
  5. // This file is distributed under the University of Illinois Open Source
  6. // License. See LICENSE.TXT for details.
  7. //
  8. //===----------------------------------------------------------------------===//
  9. //
  10. // This file defined the BasicStore and BasicStoreManager classes.
  11. //
  12. //===----------------------------------------------------------------------===//
  13. #include "clang/AST/DeclCXX.h"
  14. #include "clang/AST/ExprObjC.h"
  15. #include "clang/Analysis/Analyses/LiveVariables.h"
  16. #include "clang/Analysis/AnalysisContext.h"
  17. #include "clang/StaticAnalyzer/PathSensitive/GRState.h"
  18. #include "llvm/ADT/ImmutableMap.h"
  19. using namespace clang;
  20. using namespace ento;
  21. typedef llvm::ImmutableMap<const MemRegion*,SVal> BindingsTy;
  22. namespace {
  23. class BasicStoreSubRegionMap : public SubRegionMap {
  24. public:
  25. BasicStoreSubRegionMap() {}
  26. bool iterSubRegions(const MemRegion* R, Visitor& V) const {
  27. return true; // Do nothing. No subregions.
  28. }
  29. };
  30. class BasicStoreManager : public StoreManager {
  31. BindingsTy::Factory VBFactory;
  32. public:
  33. BasicStoreManager(GRStateManager& mgr)
  34. : StoreManager(mgr), VBFactory(mgr.getAllocator()) {}
  35. ~BasicStoreManager() {}
  36. SubRegionMap *getSubRegionMap(Store store) {
  37. return new BasicStoreSubRegionMap();
  38. }
  39. SVal Retrieve(Store store, Loc loc, QualType T = QualType());
  40. Store InvalidateRegion(Store store, const MemRegion *R, const Expr *E,
  41. unsigned Count, InvalidatedSymbols *IS);
  42. Store InvalidateRegions(Store store, const MemRegion * const *Begin,
  43. const MemRegion * const *End, const Expr *E,
  44. unsigned Count, InvalidatedSymbols *IS,
  45. bool invalidateGlobals, InvalidatedRegions *Regions);
  46. Store scanForIvars(Stmt *B, const Decl* SelfDecl,
  47. const MemRegion *SelfRegion, Store St);
  48. Store Bind(Store St, Loc loc, SVal V);
  49. Store Remove(Store St, Loc loc);
  50. Store getInitialStore(const LocationContext *InitLoc);
  51. Store BindCompoundLiteral(Store store, const CompoundLiteralExpr*,
  52. const LocationContext*, SVal val) {
  53. return store;
  54. }
  55. /// ArrayToPointer - Used by ExprEngine::VistCast to handle implicit
  56. /// conversions between arrays and pointers.
  57. SVal ArrayToPointer(Loc Array) { return Array; }
  58. /// removeDeadBindings - Scans a BasicStore of 'state' for dead values.
  59. /// It updatees the GRState object in place with the values removed.
  60. Store removeDeadBindings(Store store, const StackFrameContext *LCtx,
  61. SymbolReaper& SymReaper,
  62. llvm::SmallVectorImpl<const MemRegion*>& RegionRoots);
  63. void iterBindings(Store store, BindingsHandler& f);
  64. Store BindDecl(Store store, const VarRegion *VR, SVal InitVal) {
  65. return BindDeclInternal(store, VR, &InitVal);
  66. }
  67. Store BindDeclWithNoInit(Store store, const VarRegion *VR) {
  68. return BindDeclInternal(store, VR, 0);
  69. }
  70. Store BindDeclInternal(Store store, const VarRegion *VR, SVal *InitVal);
  71. static inline BindingsTy GetBindings(Store store) {
  72. return BindingsTy(static_cast<const BindingsTy::TreeTy*>(store));
  73. }
  74. void print(Store store, llvm::raw_ostream& Out, const char* nl,
  75. const char *sep);
  76. private:
  77. SVal LazyRetrieve(Store store, const TypedRegion *R);
  78. };
  79. } // end anonymous namespace
  80. StoreManager* ento::CreateBasicStoreManager(GRStateManager& StMgr) {
  81. return new BasicStoreManager(StMgr);
  82. }
  83. static bool isHigherOrderRawPtr(QualType T, ASTContext &C) {
  84. bool foundPointer = false;
  85. while (1) {
  86. const PointerType *PT = T->getAs<PointerType>();
  87. if (!PT) {
  88. if (!foundPointer)
  89. return false;
  90. // intptr_t* or intptr_t**, etc?
  91. if (T->isIntegerType() && C.getTypeSize(T) == C.getTypeSize(C.VoidPtrTy))
  92. return true;
  93. QualType X = C.getCanonicalType(T).getUnqualifiedType();
  94. return X == C.VoidTy;
  95. }
  96. foundPointer = true;
  97. T = PT->getPointeeType();
  98. }
  99. }
  100. SVal BasicStoreManager::LazyRetrieve(Store store, const TypedRegion *R) {
  101. const VarRegion *VR = dyn_cast<VarRegion>(R);
  102. if (!VR)
  103. return UnknownVal();
  104. const VarDecl *VD = VR->getDecl();
  105. QualType T = VD->getType();
  106. // Only handle simple types that we can symbolicate.
  107. if (!SymbolManager::canSymbolicate(T) || !T->isScalarType())
  108. return UnknownVal();
  109. // Globals and parameters start with symbolic values.
  110. // Local variables initially are undefined.
  111. // Non-static globals may have had their values reset by InvalidateRegions.
  112. const MemSpaceRegion *MS = VR->getMemorySpace();
  113. if (isa<NonStaticGlobalSpaceRegion>(MS)) {
  114. BindingsTy B = GetBindings(store);
  115. // FIXME: Copy-and-pasted from RegionStore.cpp.
  116. if (BindingsTy::data_type *Val = B.lookup(MS)) {
  117. if (SymbolRef parentSym = Val->getAsSymbol())
  118. return svalBuilder.getDerivedRegionValueSymbolVal(parentSym, R);
  119. if (Val->isZeroConstant())
  120. return svalBuilder.makeZeroVal(T);
  121. if (Val->isUnknownOrUndef())
  122. return *Val;
  123. assert(0 && "Unknown default value.");
  124. }
  125. }
  126. if (VR->hasGlobalsOrParametersStorage() ||
  127. isa<UnknownSpaceRegion>(VR->getMemorySpace()))
  128. return svalBuilder.getRegionValueSymbolVal(R);
  129. return UndefinedVal();
  130. }
  131. SVal BasicStoreManager::Retrieve(Store store, Loc loc, QualType T) {
  132. if (isa<UnknownVal>(loc))
  133. return UnknownVal();
  134. assert(!isa<UndefinedVal>(loc));
  135. switch (loc.getSubKind()) {
  136. case loc::MemRegionKind: {
  137. const MemRegion* R = cast<loc::MemRegionVal>(loc).getRegion();
  138. if (!(isa<VarRegion>(R) || isa<ObjCIvarRegion>(R) ||
  139. isa<CXXThisRegion>(R)))
  140. return UnknownVal();
  141. BindingsTy B = GetBindings(store);
  142. BindingsTy::data_type *Val = B.lookup(R);
  143. const TypedRegion *TR = cast<TypedRegion>(R);
  144. if (Val)
  145. return CastRetrievedVal(*Val, TR, T);
  146. SVal V = LazyRetrieve(store, TR);
  147. return V.isUnknownOrUndef() ? V : CastRetrievedVal(V, TR, T);
  148. }
  149. case loc::ObjCPropRefKind:
  150. case loc::ConcreteIntKind:
  151. // Support direct accesses to memory. It's up to individual checkers
  152. // to flag an error.
  153. return UnknownVal();
  154. default:
  155. assert (false && "Invalid Loc.");
  156. break;
  157. }
  158. return UnknownVal();
  159. }
  160. Store BasicStoreManager::Bind(Store store, Loc loc, SVal V) {
  161. if (isa<loc::ConcreteInt>(loc))
  162. return store;
  163. const MemRegion* R = cast<loc::MemRegionVal>(loc).getRegion();
  164. // Special case: a default symbol assigned to the NonStaticGlobalsSpaceRegion
  165. // that is used to derive other symbols.
  166. if (isa<NonStaticGlobalSpaceRegion>(R)) {
  167. BindingsTy B = GetBindings(store);
  168. return VBFactory.add(B, R, V).getRoot();
  169. }
  170. // Special case: handle store of pointer values (Loc) to pointers via
  171. // a cast to intXX_t*, void*, etc. This is needed to handle
  172. // OSCompareAndSwap32Barrier/OSCompareAndSwap64Barrier.
  173. if (isa<Loc>(V) || isa<nonloc::LocAsInteger>(V))
  174. if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
  175. // FIXME: Should check for index 0.
  176. QualType T = ER->getLocationType();
  177. if (isHigherOrderRawPtr(T, Ctx))
  178. R = ER->getSuperRegion();
  179. }
  180. if (!(isa<VarRegion>(R) || isa<ObjCIvarRegion>(R) || isa<CXXThisRegion>(R)))
  181. return store;
  182. const TypedRegion *TyR = cast<TypedRegion>(R);
  183. // Do not bind to arrays. We need to explicitly check for this so that
  184. // we do not encounter any weirdness of trying to load/store from arrays.
  185. if (TyR->isBoundable() && TyR->getValueType()->isArrayType())
  186. return store;
  187. if (nonloc::LocAsInteger *X = dyn_cast<nonloc::LocAsInteger>(&V)) {
  188. // Only convert 'V' to a location iff the underlying region type
  189. // is a location as well.
  190. // FIXME: We are allowing a store of an arbitrary location to
  191. // a pointer. We may wish to flag a type error here if the types
  192. // are incompatible. This may also cause lots of breakage
  193. // elsewhere. Food for thought.
  194. if (TyR->isBoundable() && Loc::IsLocType(TyR->getValueType()))
  195. V = X->getLoc();
  196. }
  197. BindingsTy B = GetBindings(store);
  198. return V.isUnknown()
  199. ? VBFactory.remove(B, R).getRoot()
  200. : VBFactory.add(B, R, V).getRoot();
  201. }
  202. Store BasicStoreManager::Remove(Store store, Loc loc) {
  203. switch (loc.getSubKind()) {
  204. case loc::MemRegionKind: {
  205. const MemRegion* R = cast<loc::MemRegionVal>(loc).getRegion();
  206. if (!(isa<VarRegion>(R) || isa<ObjCIvarRegion>(R) ||
  207. isa<CXXThisRegion>(R)))
  208. return store;
  209. return VBFactory.remove(GetBindings(store), R).getRoot();
  210. }
  211. default:
  212. assert ("Remove for given Loc type not yet implemented.");
  213. return store;
  214. }
  215. }
  216. Store BasicStoreManager::removeDeadBindings(Store store,
  217. const StackFrameContext *LCtx,
  218. SymbolReaper& SymReaper,
  219. llvm::SmallVectorImpl<const MemRegion*>& RegionRoots)
  220. {
  221. BindingsTy B = GetBindings(store);
  222. typedef SVal::symbol_iterator symbol_iterator;
  223. // Iterate over the variable bindings.
  224. for (BindingsTy::iterator I=B.begin(), E=B.end(); I!=E ; ++I) {
  225. if (const VarRegion *VR = dyn_cast<VarRegion>(I.getKey())) {
  226. if (SymReaper.isLive(VR))
  227. RegionRoots.push_back(VR);
  228. else
  229. continue;
  230. }
  231. else if (isa<ObjCIvarRegion>(I.getKey()) ||
  232. isa<NonStaticGlobalSpaceRegion>(I.getKey()) ||
  233. isa<CXXThisRegion>(I.getKey()))
  234. RegionRoots.push_back(I.getKey());
  235. else
  236. continue;
  237. // Mark the bindings in the data as live.
  238. SVal X = I.getData();
  239. for (symbol_iterator SI=X.symbol_begin(), SE=X.symbol_end(); SI!=SE; ++SI)
  240. SymReaper.markLive(*SI);
  241. }
  242. // Scan for live variables and live symbols.
  243. llvm::SmallPtrSet<const MemRegion*, 10> Marked;
  244. while (!RegionRoots.empty()) {
  245. const MemRegion* MR = RegionRoots.back();
  246. RegionRoots.pop_back();
  247. while (MR) {
  248. if (const SymbolicRegion* SymR = dyn_cast<SymbolicRegion>(MR)) {
  249. SymReaper.markLive(SymR->getSymbol());
  250. break;
  251. }
  252. else if (isa<VarRegion>(MR) || isa<ObjCIvarRegion>(MR) ||
  253. isa<NonStaticGlobalSpaceRegion>(MR) || isa<CXXThisRegion>(MR)) {
  254. if (Marked.count(MR))
  255. break;
  256. Marked.insert(MR);
  257. SVal X = Retrieve(store, loc::MemRegionVal(MR));
  258. // FIXME: We need to handle symbols nested in region definitions.
  259. for (symbol_iterator SI=X.symbol_begin(),SE=X.symbol_end();SI!=SE;++SI)
  260. SymReaper.markLive(*SI);
  261. if (!isa<loc::MemRegionVal>(X))
  262. break;
  263. const loc::MemRegionVal& LVD = cast<loc::MemRegionVal>(X);
  264. RegionRoots.push_back(LVD.getRegion());
  265. break;
  266. }
  267. else if (const SubRegion* R = dyn_cast<SubRegion>(MR))
  268. MR = R->getSuperRegion();
  269. else
  270. break;
  271. }
  272. }
  273. // Remove dead variable bindings.
  274. for (BindingsTy::iterator I=B.begin(), E=B.end(); I!=E ; ++I) {
  275. const MemRegion* R = I.getKey();
  276. if (!Marked.count(R)) {
  277. store = Remove(store, svalBuilder.makeLoc(R));
  278. SVal X = I.getData();
  279. for (symbol_iterator SI=X.symbol_begin(), SE=X.symbol_end(); SI!=SE; ++SI)
  280. SymReaper.maybeDead(*SI);
  281. }
  282. }
  283. return store;
  284. }
  285. Store BasicStoreManager::scanForIvars(Stmt *B, const Decl* SelfDecl,
  286. const MemRegion *SelfRegion, Store St) {
  287. for (Stmt::child_iterator CI=B->child_begin(), CE=B->child_end();
  288. CI != CE; ++CI) {
  289. if (!*CI)
  290. continue;
  291. // Check if the statement is an ivar reference. We only
  292. // care about self.ivar.
  293. if (ObjCIvarRefExpr *IV = dyn_cast<ObjCIvarRefExpr>(*CI)) {
  294. const Expr *Base = IV->getBase()->IgnoreParenCasts();
  295. if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Base)) {
  296. if (DR->getDecl() == SelfDecl) {
  297. const ObjCIvarRegion *IVR = MRMgr.getObjCIvarRegion(IV->getDecl(),
  298. SelfRegion);
  299. SVal X = svalBuilder.getRegionValueSymbolVal(IVR);
  300. St = Bind(St, svalBuilder.makeLoc(IVR), X);
  301. }
  302. }
  303. }
  304. else
  305. St = scanForIvars(*CI, SelfDecl, SelfRegion, St);
  306. }
  307. return St;
  308. }
  309. Store BasicStoreManager::getInitialStore(const LocationContext *InitLoc) {
  310. // The LiveVariables information already has a compilation of all VarDecls
  311. // used in the function. Iterate through this set, and "symbolicate"
  312. // any VarDecl whose value originally comes from outside the function.
  313. typedef LiveVariables::AnalysisDataTy LVDataTy;
  314. LVDataTy& D = InitLoc->getLiveVariables()->getAnalysisData();
  315. Store St = VBFactory.getEmptyMap().getRoot();
  316. for (LVDataTy::decl_iterator I=D.begin_decl(), E=D.end_decl(); I != E; ++I) {
  317. const NamedDecl* ND = I->first;
  318. // Handle implicit parameters.
  319. if (const ImplicitParamDecl* PD = dyn_cast<ImplicitParamDecl>(ND)) {
  320. const Decl& CD = *InitLoc->getDecl();
  321. if (const ObjCMethodDecl* MD = dyn_cast<ObjCMethodDecl>(&CD)) {
  322. if (MD->getSelfDecl() == PD) {
  323. // FIXME: Add type constraints (when they become available) to
  324. // SelfRegion? (i.e., it implements MD->getClassInterface()).
  325. const VarRegion *VR = MRMgr.getVarRegion(PD, InitLoc);
  326. const MemRegion *SelfRegion =
  327. svalBuilder.getRegionValueSymbolVal(VR).getAsRegion();
  328. assert(SelfRegion);
  329. St = Bind(St, svalBuilder.makeLoc(VR), loc::MemRegionVal(SelfRegion));
  330. // Scan the method for ivar references. While this requires an
  331. // entire AST scan, the cost should not be high in practice.
  332. St = scanForIvars(MD->getBody(), PD, SelfRegion, St);
  333. }
  334. }
  335. }
  336. }
  337. if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(InitLoc->getDecl())) {
  338. // For C++ methods add symbolic region for 'this' in initial stack frame.
  339. QualType ThisT = MD->getThisType(StateMgr.getContext());
  340. MemRegionManager &RegMgr = svalBuilder.getRegionManager();
  341. const CXXThisRegion *ThisR = RegMgr.getCXXThisRegion(ThisT, InitLoc);
  342. SVal ThisV = svalBuilder.getRegionValueSymbolVal(ThisR);
  343. St = Bind(St, svalBuilder.makeLoc(ThisR), ThisV);
  344. }
  345. return St;
  346. }
  347. Store BasicStoreManager::BindDeclInternal(Store store, const VarRegion* VR,
  348. SVal* InitVal) {
  349. BasicValueFactory& BasicVals = StateMgr.getBasicVals();
  350. const VarDecl *VD = VR->getDecl();
  351. // BasicStore does not model arrays and structs.
  352. if (VD->getType()->isArrayType() || VD->getType()->isStructureOrClassType())
  353. return store;
  354. if (VD->hasGlobalStorage()) {
  355. // Handle variables with global storage: extern, static, PrivateExtern.
  356. // FIXME:: static variables may have an initializer, but the second time a
  357. // function is called those values may not be current. Currently, a function
  358. // will not be called more than once.
  359. // Static global variables should not be visited here.
  360. assert(!(VD->getStorageClass() == SC_Static &&
  361. VD->isFileVarDecl()));
  362. // Process static variables.
  363. if (VD->getStorageClass() == SC_Static) {
  364. // C99: 6.7.8 Initialization
  365. // If an object that has static storage duration is not initialized
  366. // explicitly, then:
  367. // -if it has pointer type, it is initialized to a null pointer;
  368. // -if it has arithmetic type, it is initialized to (positive or
  369. // unsigned) zero;
  370. if (!InitVal) {
  371. QualType T = VD->getType();
  372. if (Loc::IsLocType(T))
  373. store = Bind(store, loc::MemRegionVal(VR),
  374. loc::ConcreteInt(BasicVals.getValue(0, T)));
  375. else if (T->isIntegerType() && T->isScalarType())
  376. store = Bind(store, loc::MemRegionVal(VR),
  377. nonloc::ConcreteInt(BasicVals.getValue(0, T)));
  378. } else {
  379. store = Bind(store, loc::MemRegionVal(VR), *InitVal);
  380. }
  381. }
  382. } else {
  383. // Process local scalar variables.
  384. QualType T = VD->getType();
  385. // BasicStore only supports scalars.
  386. if ((T->isScalarType() || T->isReferenceType()) &&
  387. svalBuilder.getSymbolManager().canSymbolicate(T)) {
  388. SVal V = InitVal ? *InitVal : UndefinedVal();
  389. store = Bind(store, loc::MemRegionVal(VR), V);
  390. }
  391. }
  392. return store;
  393. }
  394. void BasicStoreManager::print(Store store, llvm::raw_ostream& Out,
  395. const char* nl, const char *sep) {
  396. BindingsTy B = GetBindings(store);
  397. Out << "Variables:" << nl;
  398. bool isFirst = true;
  399. for (BindingsTy::iterator I=B.begin(), E=B.end(); I != E; ++I) {
  400. if (isFirst)
  401. isFirst = false;
  402. else
  403. Out << nl;
  404. Out << ' ' << I.getKey() << " : " << I.getData();
  405. }
  406. }
  407. void BasicStoreManager::iterBindings(Store store, BindingsHandler& f) {
  408. BindingsTy B = GetBindings(store);
  409. for (BindingsTy::iterator I=B.begin(), E=B.end(); I != E; ++I)
  410. if (!f.HandleBinding(*this, store, I.getKey(), I.getData()))
  411. return;
  412. }
  413. StoreManager::BindingsHandler::~BindingsHandler() {}
  414. //===----------------------------------------------------------------------===//
  415. // Binding invalidation.
  416. //===----------------------------------------------------------------------===//
  417. Store BasicStoreManager::InvalidateRegions(Store store,
  418. const MemRegion * const *I,
  419. const MemRegion * const *End,
  420. const Expr *E, unsigned Count,
  421. InvalidatedSymbols *IS,
  422. bool invalidateGlobals,
  423. InvalidatedRegions *Regions) {
  424. if (invalidateGlobals) {
  425. BindingsTy B = GetBindings(store);
  426. for (BindingsTy::iterator I=B.begin(), End=B.end(); I != End; ++I) {
  427. const MemRegion *R = I.getKey();
  428. if (isa<NonStaticGlobalSpaceRegion>(R->getMemorySpace()))
  429. store = InvalidateRegion(store, R, E, Count, IS);
  430. }
  431. }
  432. for ( ; I != End ; ++I) {
  433. const MemRegion *R = *I;
  434. // Don't invalidate globals twice.
  435. if (invalidateGlobals) {
  436. if (isa<NonStaticGlobalSpaceRegion>(R->getMemorySpace()))
  437. continue;
  438. }
  439. store = InvalidateRegion(store, *I, E, Count, IS);
  440. if (Regions)
  441. Regions->push_back(R);
  442. }
  443. // FIXME: This is copy-and-paste from RegionStore.cpp.
  444. if (invalidateGlobals) {
  445. // Bind the non-static globals memory space to a new symbol that we will
  446. // use to derive the bindings for all non-static globals.
  447. const GlobalsSpaceRegion *GS = MRMgr.getGlobalsRegion();
  448. SVal V =
  449. svalBuilder.getConjuredSymbolVal(/* SymbolTag = */ (void*) GS, E,
  450. /* symbol type, doesn't matter */ Ctx.IntTy,
  451. Count);
  452. store = Bind(store, loc::MemRegionVal(GS), V);
  453. if (Regions)
  454. Regions->push_back(GS);
  455. }
  456. return store;
  457. }
  458. Store BasicStoreManager::InvalidateRegion(Store store,
  459. const MemRegion *R,
  460. const Expr *E,
  461. unsigned Count,
  462. InvalidatedSymbols *IS) {
  463. R = R->StripCasts();
  464. if (!(isa<VarRegion>(R) || isa<ObjCIvarRegion>(R)))
  465. return store;
  466. if (IS) {
  467. BindingsTy B = GetBindings(store);
  468. if (BindingsTy::data_type *Val = B.lookup(R)) {
  469. if (SymbolRef Sym = Val->getAsSymbol())
  470. IS->insert(Sym);
  471. }
  472. }
  473. QualType T = cast<TypedRegion>(R)->getValueType();
  474. SVal V = svalBuilder.getConjuredSymbolVal(R, E, T, Count);
  475. return Bind(store, loc::MemRegionVal(R), V);
  476. }