Hi Ted,<br><br>This patch report false warning on this test case:<br><br>#include <sys/socket.h><br>void f(int sock) {<br>  struct sockaddr_storage storage;<br>  struct sockaddr* sockaddr = (struct sockaddr*)&storage;<br>
  socklen_t addrlen = sizeof(storage);<br>  getsockname(sock, sockaddr, &addrlen);<br>  switch (sockaddr->sa_family) {<br>  default:<br>    ;<br>  }<br>}<br><br>$ clang -analyze -analyzer-store=region -checker-cfref 1.c<br>
1.c:7:3: warning: Branch condition evaluates to an uninitialized value.<br>  switch (sockaddr->sa_family) {<br>  ^       ~~~~~~~~~~~~~~~~~~~<br>1 diagnostic generated.<br><br>Perhaps we should not 'blast through' TypedViewRegion?<br>
<br><div class="gmail_quote">On Thu, Dec 18, 2008 at 3:42 AM, Ted Kremenek <span dir="ltr"><<a href="mailto:kremenek@apple.com">kremenek@apple.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Author: kremenek<br>
Date: Wed Dec 17 13:42:34 2008<br>
New Revision: 61147<br>
<br>
URL: <a href="http://llvm.org/viewvc/llvm-project?rev=61147&view=rev" target="_blank">http://llvm.org/viewvc/llvm-project?rev=61147&view=rev</a><br>
Log:<br>
Fix <rdar://problem/6451816>:<br>
- Because of the introduction of AnonTypedRegions when reasoning about casts, we<br>
  had a regression in the "symbolication" of variable values passed-by-reference<br>
  to a function. This is now fixed in CFRefCount.cpp (-checker-cfref) by<br>
  blasting through the layer of AnonTypedRegions when symbolicating the value of<br>
  the variable. This logic may get moved elsewhere. Note that this change<br>
  affects only -checker-cfref and not -checker-simple; eventually this logic<br>
  should get pulled out of CFRefCount.cpp into a more common place. All users<br>
  use -checker-cfref by default, and -checker-simple should probably just be<br>
  removed.<br>
- Updated test 'Analysis/uninit-vals-ps.c' to only use -checker-cfref and added<br>
  a test case for this regression.<br>
<br>
Modified:<br>
    cfe/trunk/lib/Analysis/CFRefCount.cpp<br>
    cfe/trunk/test/Analysis/uninit-vals-ps.c<br>
<br>
Modified: cfe/trunk/lib/Analysis/CFRefCount.cpp<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Analysis/CFRefCount.cpp?rev=61147&r1=61146&r2=61147&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Analysis/CFRefCount.cpp?rev=61147&r1=61146&r2=61147&view=diff</a><br>

<br>
==============================================================================<br>
--- cfe/trunk/lib/Analysis/CFRefCount.cpp (original)<br>
+++ cfe/trunk/lib/Analysis/CFRefCount.cpp Wed Dec 17 13:42:34 2008<br>
@@ -1599,6 +1599,14 @@<br>
         }<br>
<br>
         const TypedRegion* R = dyn_cast<TypedRegion>(MR->getRegion());<br>
+<br>
+        // Blast through AnonTypedRegions to get the original region type.<br>
+        while (R) {<br>
+          const AnonTypedRegion* ATR = dyn_cast<AnonTypedRegion>(R);<br>
+          if (!ATR) break;<br>
+          R = dyn_cast<TypedRegion>(ATR->getSuperRegion());<br>
+        }<br>
+<br>
         if (R) {<br>
           // Set the value of the variable to be a conjured symbol.<br>
           unsigned Count = Builder.getCurrentBlockCount();<br>
@@ -1609,7 +1617,7 @@<br>
             SymbolRef NewSym =<br>
               Eng.getSymbolManager().getConjuredSymbol(*I, T, Count);<br>
<br>
-            state = state.BindLoc(*MR,<br>
+            state = state.BindLoc(Loc::MakeVal(R),<br>
                                   Loc::IsLocType(T)<br>
                                   ? cast<SVal>(loc::SymbolVal(NewSym))<br>
                                   : cast<SVal>(nonloc::SymbolVal(NewSym)));<br>
<br>
Modified: cfe/trunk/test/Analysis/uninit-vals-ps.c<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/uninit-vals-ps.c?rev=61147&r1=61146&r2=61147&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/uninit-vals-ps.c?rev=61147&r1=61146&r2=61147&view=diff</a><br>

<br>
==============================================================================<br>
--- cfe/trunk/test/Analysis/uninit-vals-ps.c (original)<br>
+++ cfe/trunk/test/Analysis/uninit-vals-ps.c Wed Dec 17 13:42:34 2008<br>
@@ -1,5 +1,5 @@<br>
-// RUN: clang -checker-simple -verify %s &&<br>
-// RUN: clang -checker-simple -analyzer-store-region -verify %s<br>
+// RUN: clang -checker-cfref -verify %s &&<br>
+// RUN: clang -checker-cfref -analyzer-store-region -verify %s<br>
<br>
 struct FPRec {<br>
   void (*my_func)(int * x);<br>
@@ -49,4 +49,22 @@<br>
   return *p;  // expected-warning{{Uninitialized or undefined return value returned to caller.}}<br>
 }<br>
<br>
+// <rdar://problem/6451816><br>
+typedef unsigned char Boolean;<br>
+typedef const struct __CFNumber * CFNumberRef;<br>
+typedef signed long CFIndex;<br>
+typedef CFIndex CFNumberType;<br>
+typedef unsigned long UInt32;<br>
+typedef UInt32 CFStringEncoding;<br>
+typedef const struct __CFString * CFStringRef;<br>
+extern Boolean CFNumberGetValue(CFNumberRef number, CFNumberType theType, void *valuePtr);<br>
+extern CFStringRef CFStringConvertEncodingToIANACharSetName(CFStringEncoding encoding);<br>
+<br>
+CFStringRef rdar_6451816(CFNumberRef nr) {<br>
+  CFStringEncoding encoding;<br>
+  // &encoding is casted to void*.  This test case tests whether or not<br>
+  // we properly invalidate the value of 'encoding'.<br>
+  CFNumberGetValue(nr, 9, &encoding);<br>
+  return CFStringConvertEncodingToIANACharSetName(encoding); // no-warning<br>
+}<br>
<br>
<br>
<br>
_______________________________________________<br>
cfe-commits mailing list<br>
<a href="mailto:cfe-commits@cs.uiuc.edu">cfe-commits@cs.uiuc.edu</a><br>
<a href="http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits</a><br>
</blockquote></div><br>