[PATCH] D77062: [analyzer] Improve zero assumption in CStringChecke::assumeZero
Balázs Benics via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Fri Sep 25 02:18:45 PDT 2020
steakhal added a comment.
Finally, I made my investigations and I come up with this code:
void strcpy(char *, char *);
void test(int *a, char ***b) {
*(unsigned char **)b = (unsigned char*)a; // #1
if (**b == nullptr) // will-crash
;
}
So, this issue does not relate to CStringChecker. It will crash at `ExprEngineC.cpp:100`.
It seems that we have to make the choice of how to model type punning.
As you can see in the example, we overwrite the pointer value of `*b` to point to an //unsigned char// value //(#1)//.
The static type of `b` (//char***//) does not reflect the associated value's type which (//unsigned char**//) - //(note the number of indirections!)// in other words, an obvious type pun happened at that line.
If we get the value of `**b`, we get a //NonLoc// of type //unsigned char//.
The dump of `**b` confirms this: `reg_$4<unsigned char Element{SymRegion{reg_$0<int * a>},0 S64b,unsigned char}>`, which is a `NonLoc` in deed.
IMO we should fix the root cause of this in the Core.
I think we should have a symbolic cast back to the static type before doing anything with the SVal (iff the BaseKind differs).
If we do this, we will get a Loc as expected - and neither this bug nor your original bug would fire.
WDYT @NoQ @martong @ASDenysPetrov @Szelethus?
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D77062/new/
https://reviews.llvm.org/D77062
More information about the cfe-commits
mailing list