r178701 - [analyzer] Allow tracknullOrUndef look through the ternary operator even when condition is unknown
Anna Zaks
ganna at apple.com
Wed Apr 3 14:34:13 PDT 2013
Author: zaks
Date: Wed Apr 3 16:34:12 2013
New Revision: 178701
URL: http://llvm.org/viewvc/llvm-project?rev=178701&view=rev
Log:
[analyzer] Allow tracknullOrUndef look through the ternary operator even when condition is unknown
Improvement of r178684 and r178685.
Jordan has pointed out that I should not rely on the value of the condition to know which expression branch
has been taken. It will not work in cases the branch condition is an unknown value (ex: we do not track the constraints for floats).
The better way of doing this would be to find out if the current node is the right or left successor of the node
that has the ternary operator as a terminator (which is how this is done in other places, like ConditionBRVisitor).
Modified:
cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
cfe/trunk/test/Analysis/inlining/false-positive-suppression.c
Modified: cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp?rev=178701&r1=178700&r2=178701&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp Wed Apr 3 16:34:12 2013
@@ -799,21 +799,25 @@ static const Expr *peelOffOuterExpr(cons
// Peel off the ternary operator.
if (const ConditionalOperator *CO = dyn_cast<ConditionalOperator>(Ex)) {
- const Expr *CondEx = CO->getCond();
-
- // Find a node where the value of the condition is known.
+ // Find a node where the branching occured and find out which branch
+ // we took (true/false) by looking at the ExplodedGraph.
+ const ExplodedNode *NI = N;
do {
- ProgramStateRef State = N->getState();
- SVal CondVal = State->getSVal(CondEx, N->getLocationContext());
- ConditionTruthVal CondEvaluated = State->isNull(CondVal);
- if (CondEvaluated.isConstrained()) {
- if (CondEvaluated.isConstrainedTrue())
- return peelOffOuterExpr(CO->getFalseExpr(), N);
- else
- return peelOffOuterExpr(CO->getTrueExpr(), N);
+ ProgramPoint ProgPoint = NI->getLocation();
+ if (Optional<BlockEdge> BE = ProgPoint.getAs<BlockEdge>()) {
+ const CFGBlock *srcBlk = BE->getSrc();
+ if (const Stmt *term = srcBlk->getTerminator()) {
+ if (term == CO) {
+ bool TookTrueBranch = (*(srcBlk->succ_begin()) == BE->getDst());
+ if (TookTrueBranch)
+ return peelOffOuterExpr(CO->getTrueExpr(), N);
+ else
+ return peelOffOuterExpr(CO->getFalseExpr(), N);
+ }
+ }
}
- N = N->getFirstPred();
- } while (N);
+ NI = NI->getFirstPred();
+ } while (NI);
}
return Ex;
}
Modified: cfe/trunk/test/Analysis/inlining/false-positive-suppression.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/inlining/false-positive-suppression.c?rev=178701&r1=178700&r2=178701&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/inlining/false-positive-suppression.c (original)
+++ cfe/trunk/test/Analysis/inlining/false-positive-suppression.c Wed Apr 3 16:34:12 2013
@@ -260,9 +260,10 @@ int testNestedConditionalOperator(int x)
return *(x ? (x ? 0 : getPtr()) : getPtr()); // expected-warning {{Dereference of null pointer}}
}
-// False Positve - we are unable to suppress this case because the condition is
-// float.
int testConditionalOperatorSuppressFloatCond(float x) {
- return *(x ? getNull() : getPtr()); // expected-warning {{Dereference of null pointer}}
+ return *(x ? getNull() : getPtr());
+#ifndef SUPPRESSED
+ // expected-warning at -2 {{Dereference of null pointer}}
+#endif
}
More information about the cfe-commits
mailing list