[PATCH] D89055: [analyzer] Wrong type cast occures during pointer dereferencing after type punning
Denys Petrov via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Tue Oct 13 05:15:27 PDT 2020
ASDenysPetrov updated this revision to Diff 297822.
ASDenysPetrov added a comment.
Updated. Removed a new test file, moved the test to an existing file instead.
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D89055/new/
https://reviews.llvm.org/D89055
Files:
clang/lib/StaticAnalyzer/Core/Store.cpp
clang/test/Analysis/casts.c
clang/test/Analysis/string.c
Index: clang/test/Analysis/string.c
===================================================================
--- clang/test/Analysis/string.c
+++ clang/test/Analysis/string.c
@@ -363,6 +363,14 @@
strcpy(x, y); // no-warning
}
+// PR37503
+void *get_void_ptr();
+char ***type_punned_ptr;
+void strcpy_no_assertion(char c) {
+ *(unsigned char **)type_punned_ptr = (unsigned char *)(get_void_ptr());
+ strcpy(**type_punned_ptr, &c); // no-crash
+}
+
//===----------------------------------------------------------------------===
// stpcpy()
//===----------------------------------------------------------------------===
Index: clang/test/Analysis/casts.c
===================================================================
--- clang/test/Analysis/casts.c
+++ clang/test/Analysis/casts.c
@@ -245,3 +245,8 @@
return a * a;
}
+void no_crash_reinterpret_char_as_uchar(char ***a, int *b) {
+ *(unsigned char **)a = (unsigned char *)b;
+ if (**a == 0) // no-crash
+ ;
+}
Index: clang/lib/StaticAnalyzer/Core/Store.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Core/Store.cpp
+++ clang/lib/StaticAnalyzer/Core/Store.cpp
@@ -426,12 +426,17 @@
// We might need to do that for non-void pointers as well.
// FIXME: We really need a single good function to perform casts for us
// correctly every time we need it.
- if (castTy->isPointerType() && !castTy->isVoidPointerType())
+ if (castTy->isPointerType() && !castTy->isVoidPointerType()) {
if (const auto *SR = dyn_cast_or_null<SymbolicRegion>(V.getAsRegion())) {
QualType sr = SR->getSymbol()->getType();
if (!hasSameUnqualifiedPointeeType(sr, castTy))
- return loc::MemRegionVal(castRegion(SR, castTy));
+ return loc::MemRegionVal(castRegion(SR, castTy));
}
+ // Next fixes pointer dereference using type different from its initial one.
+ // See PR37503 for details
+ if (const auto *SR = dyn_cast_or_null<ElementRegion>(V.getAsRegion()))
+ return loc::MemRegionVal(castRegion(SR, castTy));
+ }
return svalBuilder.dispatchCast(V, castTy);
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D89055.297822.patch
Type: text/x-patch
Size: 2126 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20201013/293f40f3/attachment.bin>
More information about the cfe-commits
mailing list