[cfe-commits] r84320 - in /cfe/trunk: lib/Analysis/SimpleSValuator.cpp test/Analysis/misc-ps.m

Ted Kremenek kremenek at apple.com
Sat Oct 17 00:39:38 PDT 2009 

Author: kremenek
Date: Sat Oct 17 02:39:35 2009
New Revision: 84320

URL: http://llvm.org/viewvc/llvm-project?rev=84320&view=rev
Log:
Fix another static analyzer crash due to a corner case in "folding" symbolic values that are constrained to be a constant.

Modified:
    cfe/trunk/lib/Analysis/SimpleSValuator.cpp
    cfe/trunk/test/Analysis/misc-ps.m

Modified: cfe/trunk/lib/Analysis/SimpleSValuator.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Analysis/SimpleSValuator.cpp?rev=84320&r1=84319&r2=84320&view=diff

==============================================================================
--- cfe/trunk/lib/Analysis/SimpleSValuator.cpp (original)
+++ cfe/trunk/lib/Analysis/SimpleSValuator.cpp Sat Oct 17 02:39:35 2009
@@ -346,24 +346,29 @@
       nonloc::SymbolVal *slhs = cast<nonloc::SymbolVal>(&lhs);
       SymbolRef Sym = slhs->getSymbol();
       
-      // Does the symbol simplify to a constant?
+      // Does the symbol simplify to a constant?  If so, "fold" the constant
+      // by setting 'lhs' to a ConcreteInt and try again.
       if (Sym->getType(ValMgr.getContext())->isIntegerType())
         if (const llvm::APSInt *Constant = state->getSymVal(Sym)) {
-          // For shifts, there is no need to perform any conversions
-          // of the constant.
-          if (BinaryOperator::isShiftOp(op)) {
-            lhs = nonloc::ConcreteInt(*Constant);
+          // The symbol evaluates to a constant. If necessary, promote the
+          // folded constant (LHS) to the result type.
+          BasicValueFactory &BVF = ValMgr.getBasicValueFactory();
+          const llvm::APSInt &lhs_I = BVF.Convert(resultTy, *Constant);
+          lhs = nonloc::ConcreteInt(lhs_I);
+          
+          // Also promote the RHS (if necessary).
+
+          // For shifts, it necessary promote the RHS to the result type.
+          if (BinaryOperator::isShiftOp(op))
             continue;
-          }
           
-          // Other cases: do an implicit conversion.  This shouldn't be
+          // Other operators: do an implicit conversion.  This shouldn't be
           // necessary once we support truncation/extension of symbolic values.
           if (nonloc::ConcreteInt *rhs_I = dyn_cast<nonloc::ConcreteInt>(&rhs)){
-            BasicValueFactory &BVF = ValMgr.getBasicValueFactory();
-            lhs = nonloc::ConcreteInt(BVF.Convert(rhs_I->getValue(),
-                                                  *Constant));
-            continue;
+            rhs = nonloc::ConcreteInt(BVF.Convert(resultTy, rhs_I->getValue()));
           }
+          
+          continue;
         }
       
       if (isa<nonloc::ConcreteInt>(rhs)) {

Modified: cfe/trunk/test/Analysis/misc-ps.m
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/misc-ps.m?rev=84320&r1=84319&r2=84320&view=diff

==============================================================================
--- cfe/trunk/test/Analysis/misc-ps.m (original)
+++ cfe/trunk/test/Analysis/misc-ps.m Sat Oct 17 02:39:35 2009
@@ -681,21 +681,23 @@
   return 1;
 }
 
+//===----------------------------------------------------------------------===//
 // Test constant-folding of symbolic values, automatically handling type
-// conversions of the symbol as necessary.  Previously this would crash
-// once we started eagerly evaluating symbols whose values were constrained
-// to a single value.
-void test_constant_symbol(signed char x) {
+// conversions of the symbol as necessary.
+//===----------------------------------------------------------------------===//
+
+
+// Previously this would crash once we started eagerly evaluating symbols whose 
+// values were constrained to a single value.
+void test_symbol_fold_1(signed char x) {
   while (1) {
     if (x == ((signed char) 0)) {}
   }
 }
 
-// Test constant-folding of symbolic values, where a folded symbolic value is used in a
-// bitshift operation.  This previously caused a crash because it triggered an assertion
-// in APSInt.
-void test_symbol_fold_with_shift(unsigned int * p, unsigned int n,
-                                const unsigned int * grumpkin, unsigned int dn) {
+// This previously caused a crash because it triggered an assertion in APSInt.
+void test_symbol_fold_2(unsigned int * p, unsigned int n,
+                        const unsigned int * grumpkin, unsigned int dn) {
   unsigned int i;
   unsigned int tempsub[8];
   unsigned int *solgrumpkin = tempsub + n;
@@ -704,3 +706,15 @@
   for (i <<= 5; i < (n << 5); i++) {}
 }
 
+// This previously caused a crash because it triggered an assertion in APSInt.
+// 'x' would evaluate to a 8-bit constant (because of the return value of
+// test_symbol_fold_3_aux()) which would not get properly promoted to an
+// integer.
+char test_symbol_fold_3_aux(void);
+unsigned test_symbol_fold_3(void) {
+  unsigned x = test_symbol_fold_3_aux();
+  if (x == 54)
+    return (x << 8) | 0x5;
+  return 0;
+}  
+

More information about the cfe-commits mailing list