[cfe-commits] r131702 - in /cfe/trunk: lib/StaticAnalyzer/Core/RegionStore.cpp test/Analysis/misc-ps-region-store.cpp

Ted Kremenek kremenek at apple.com
Thu May 19 16:37:58 PDT 2011 

Author: kremenek
Date: Thu May 19 18:37:58 2011
New Revision: 131702

URL: http://llvm.org/viewvc/llvm-project?rev=131702&view=rev
Log:
Teach RegionStore not to symbolic array values whose indices it cannot reason about.

Modified:
    cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp
    cfe/trunk/test/Analysis/misc-ps-region-store.cpp

Modified: cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp?rev=131702&r1=131701&r2=131702&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp Thu May 19 18:37:58 2011
@@ -1063,6 +1063,11 @@
   //   return *y;
   // FIXME: This is a hack, and doesn't do anything really intelligent yet.
   const RegionRawOffset &O = R->getAsArrayOffset();
+  
+  // If we cannot reason about the offset, return an unknown value.
+  if (!O.getRegion())
+    return UnknownVal();
+  
   if (const TypedRegion *baseR = dyn_cast_or_null<TypedRegion>(O.getRegion())) {
     QualType baseT = baseR->getValueType();
     if (baseT->isScalarType()) {

Modified: cfe/trunk/test/Analysis/misc-ps-region-store.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/misc-ps-region-store.cpp?rev=131702&r1=131701&r2=131702&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/misc-ps-region-store.cpp (original)
+++ cfe/trunk/test/Analysis/misc-ps-region-store.cpp Thu May 19 18:37:58 2011
@@ -395,3 +395,22 @@
   return x; // no-warning
 }
 
+// Test assigning into a symbolic offset.
+struct TestAssignIntoSymbolicOffset {
+  int **stuff[100];
+  void test(int x, int y);
+};
+
+void TestAssignIntoSymbolicOffset::test(int x, int y) {
+  x--;
+  if (x > 8 || x < 0)
+    return;
+  if (stuff[x])
+    return;
+  if (!stuff[x]) {
+    stuff[x] = new int*[y+1];
+    // Previously triggered a null dereference.
+    stuff[x][y] = 0; // no-warning
+  }
+}
+

More information about the cfe-commits mailing list