[PATCH] D93595: [analyzer] Fix extraction of punned and known scalar SVals

[Vince Bridgers via Phabricator via cfe-commits]

vabridgers added a comment.

Based on a suggestion from Balazs, I reduced the scope of the initial change to just scalars. There is one issue I'd like to hear comments on, and that's how to handle the case of extracting a bit field outside of the represented APInt. Currently, I'm returning UnknownVal(), following the lead in RegionStore.cpp, line 1775, in method getBindingForElement. During development, I hit an assert in extractBits when encountering a "negative" case exposed by the LIT ptr-arith.cpp - the negative case being an index out of bounds of the punned scalar (see the LIT I added for the negative cases).

Based on this change, some of the basic structure cases are "working" (meaning not showing false results), but the change is probably not comprehensive enough, and definitely not covered well enough by tests, so focusing just on scalars for now. I'm willing to work on this collaboratively to solve these problems, since we encounter these analyzing our source code.



================
Comment at: clang/lib/StaticAnalyzer/Core/RegionStore.cpp:1657
+    return SVB.makeIntVal(bits, true);
+  }
+  return UnknownVal();
----------------
I added this if to handle the case of something like this:

unsigned short sh = 0x1122;
unsigned char *p = (unsigned char *)&sh;

unsigned char aa = p[0]; //// This is ok, and will yield 0x11 or 0x22 - depending on endianess.
unsigned char ch = p[3]; //// This is an error and should be caught.

I opted with returning UnknownVal() following the lead in RegionStore.cpp:1775 (just below). The negative test cases I added assume this. The ptr-arith.cpp LIT exposed this issue. Otherwise, I hit an assert in extractBits that the bit field is outside of represented range in the APInt. 


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D93595/new/

https://reviews.llvm.org/D93595