[cfe-commits] r117336 - in /cfe/trunk: lib/Checker/RegionStore.cpp test/Analysis/misc-ps.m
Ted Kremenek
kremenek at apple.com
Mon Oct 25 17:06:17 PDT 2010
Author: kremenek
Date: Mon Oct 25 19:06:17 2010
New Revision: 117336
URL: http://llvm.org/viewvc/llvm-project?rev=117336&view=rev
Log:
Fix lazy symbolication bug in RegionStore involving fields of global variables. When invalidated, the entire
globals memory space gets assigned a symbolic value, but that value was not being used for lazy symbolication
of fields of globals. This could result in cases where bogus null dereferences were being reported.
Fixes PR 8440.
Modified:
cfe/trunk/lib/Checker/RegionStore.cpp
cfe/trunk/test/Analysis/misc-ps.m
Modified: cfe/trunk/lib/Checker/RegionStore.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Checker/RegionStore.cpp?rev=117336&r1=117335&r2=117336&view=diff
==============================================================================
--- cfe/trunk/lib/Checker/RegionStore.cpp (original)
+++ cfe/trunk/lib/Checker/RegionStore.cpp Mon Oct 25 19:06:17 2010
@@ -686,6 +686,16 @@
B = RM.Add(B, baseR, BindingKey::Default, V);
return;
}
+
+ if (includeGlobals &&
+ isa<NonStaticGlobalSpaceRegion>(baseR->getMemorySpace())) {
+ // If the region is a global and we are invalidating all globals,
+ // just erase the entry. This causes all globals to be lazily
+ // symbolicated from the same base symbol.
+ B = RM.Remove(B, baseR);
+ return;
+ }
+
DefinedOrUnknownSVal V = ValMgr.getConjuredSymbolVal(baseR, Ex, T, Count);
assert(SymbolManager::canSymbolicate(T) || V.isUnknown());
@@ -1182,16 +1192,16 @@
RegionBindings B = GetRegionBindings(store);
while (superR) {
- if (const Optional<SVal> &D = RetrieveDerivedDefaultValue(B, superR, R, Ty))
+ if (const Optional<SVal> &D =
+ RetrieveDerivedDefaultValue(B, superR, R, Ty))
return *D;
// If our super region is a field or element itself, walk up the region
// hierarchy to see if there is a default value installed in an ancestor.
- if (isa<FieldRegion>(superR) || isa<ElementRegion>(superR)) {
- superR = cast<SubRegion>(superR)->getSuperRegion();
+ if (const SubRegion *SR = dyn_cast<SubRegion>(superR)) {
+ superR = SR->getSuperRegion();
continue;
}
-
break;
}
Modified: cfe/trunk/test/Analysis/misc-ps.m
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/misc-ps.m?rev=117336&r1=117335&r2=117336&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/misc-ps.m (original)
+++ cfe/trunk/test/Analysis/misc-ps.m Mon Oct 25 19:06:17 2010
@@ -1159,3 +1159,23 @@
@synchronized(x.lock) {} // no-warning
}
+// PR 8440 - False null dereference during store to array-in-field-in-global.
+// This test case previously resulted in a bogus null deref warning from
+// incorrect lazy symbolication logic in RegionStore.
+static struct {
+ int num;
+ char **data;
+} saved_pr8440;
+
+char *foo_pr8440();
+char **bar_pr8440();
+void baz_pr8440(int n)
+{
+ saved_pr8440.num = n;
+ if (saved_pr8440.data)
+ return;
+ saved_pr8440.data = bar_pr8440();
+ for (int i = 0 ; i < n ; i ++)
+ saved_pr8440.data[i] = foo_pr8440(); // no-warning
+}
+
More information about the cfe-commits
mailing list