[PATCH] D81254: [analyzer] Produce symbolic values for C-array elements

Denys Petrov via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Fri Jun 5 05:28:05 PDT 2020 

ASDenysPetrov created this revision.
ASDenysPetrov added reviewers: dcoughlin, NoQ, alexfh.
ASDenysPetrov added a project: clang.
Herald added subscribers: cfe-commits, martong, Charusso, dkrupp, donat.nagy, Szelethus, mikhail.ramalho, a.sidorin, szepet, baloghadamsoftware, xazax.hun.

Problem:
The issue is that UnknownVal is produced for an array element when it is used in expressions with unknown bounds and unknown index. Thus it doesn't bind in the list of Expressions and never be used twice then.

Solution:
Produce symbolic values for array elements instead of UnknownVal. This also enables to bind these values and use them later in the next expressions.

This fixes https://bugs.llvm.org/show_bug.cgi?id=9289


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D81254

Files:
  clang/lib/StaticAnalyzer/Core/RegionStore.cpp
  clang/test/Analysis/PR9289.cpp


Index: clang/test/Analysis/PR9289.cpp
===================================================================
--- /dev/null
+++ clang/test/Analysis/PR9289.cpp
@@ -0,0 +1,32 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core -verify %s
+
+int fun(const int *a, int index) {
+  int var;
+  int ret = 0;
+  if (a[index] < 2)
+    var = 1;
+  if (a[index] < 2)
+    ret = var; // no warning about garbage value
+  return ret;
+}
+
+int fun2(const int **a, int index, int index2) {
+  int var;
+  int ret = 0;
+  if (a[index][index2] < 2)
+    var = 1;
+  if (a[index][index2] < 2)
+    ret = var; // no warning about garbage value
+  return ret;
+}
+
+int fun3(const int *a, int index, int index2) {
+  int var;
+  int ret = 0;
+  if (a[index] < 2)
+    var = 1;
+  index = index2;
+  if (a[index] < 2)
+    ret = var; // expected-warning{{Assigned value is garbage or undefined [core.uninitialized.Assign]}}
+  return ret;
+}
Index: clang/lib/StaticAnalyzer/Core/RegionStore.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Core/RegionStore.cpp
+++ clang/lib/StaticAnalyzer/Core/RegionStore.cpp
@@ -1704,9 +1704,9 @@
   // FIXME: This is a hack, and doesn't do anything really intelligent yet.
   const RegionRawOffset &O = R->getAsArrayOffset();
 
-  // If we cannot reason about the offset, return an unknown value.
+  // If we cannot reason about the offset, return a symbolic value.
   if (!O.getRegion())
-    return UnknownVal();
+    return svalBuilder.getRegionValueSymbolVal(R);
 
   if (const TypedValueRegion *baseR =
         dyn_cast_or_null<TypedValueRegion>(O.getRegion())) {


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D81254.268745.patch
Type: text/x-patch
Size: 1639 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20200605/72a0b567/attachment.bin>

More information about the cfe-commits mailing list