
On Wed, Jun 5, 2013 at 5:19 PM, Anna Zaks <span dir="ltr"><<a href="mailto:ganna@apple.com" target="_blank">ganna@apple.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

Author: zaks<br>

Date: Wed Jun  5 19:19:36 2013<br>

New Revision: 183359<br>

<br>

URL: <a href="http://llvm.org/viewvc/llvm-project?rev=183359&view=rev" target="_blank">http://llvm.org/viewvc/llvm-project?rev=183359&view=rev</a><br>

Log:<br>

[analyzer] Fix a crash that occurs when processing an rvalue array.<br>

<br>

When processing ArrayToPointerDecay, we expect the array to be a location, not a LazyCompoundVal.<br>

Special case the rvalue arrays by using a location to represent them. This case is handled similarly<br>

elsewhere in the code.<br></blockquote><div><br></div><div>Hmm, maybe we should be generating a MaterializeTemporaryExpr between the ImplicitCastExpr and the array temporary?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


Fixes PR16206.<br>

<br>

Modified:<br>

    cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp<br>

    cfe/trunk/test/SemaTemplate/array-to-pointer-decay.cpp<br>

<br>

Modified: cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp?rev=183359&r1=183358&r2=183359&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp?rev=183359&r1=183358&r2=183359&view=diff</a><br>


==============================================================================<br>

--- cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp (original)<br>

+++ cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp Wed Jun  5 19:19:36 2013<br>

@@ -1724,7 +1724,24 @@ void ExprEngine::VisitMemberExpr(const M<br>

<br>

   FieldDecl *field = cast<FieldDecl>(Member);<br>

   SVal L = state->getLValue(field, baseExprVal);<br>

-  if (M->isGLValue()) {<br>

+<br>

+  if (M->isGLValue() || M->getType()->isArrayType()) {<br>

+<br>

+    // We special case rvalue of array type because the analyzer cannot reason<br>

+    // about it, since we expect all regions to be wrapped in Locs. So we will<br>

+    // treat these as lvalues assuming that they will decay to pointers as soon<br>

+    // as they are used. Below<br>

+    if (!M->isGLValue()) {<br>

+      assert(M->getType()->isArrayType());<br>

+      const ImplicitCastExpr *PE =<br>

+        dyn_cast<ImplicitCastExpr>(Pred->getParentMap().getParent(M));<br>

+      if (!PE || PE->getCastKind() != CK_ArrayToPointerDecay) {<br>

+        assert(false &&<br>

+               "We assume that array is always wrapped in ArrayToPointerDecay");<br>

+        L = UnknownVal();<br>

+      }<br>

+    }<br>

+<br>

     if (field->getType()->isReferenceType()) {<br>

       if (const MemRegion *R = L.getAsRegion())<br>

         L = state->getSVal(R);<br>

<br>

Modified: cfe/trunk/test/SemaTemplate/array-to-pointer-decay.cpp<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/test/SemaTemplate/array-to-pointer-decay.cpp?rev=183359&r1=183358&r2=183359&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/cfe/trunk/test/SemaTemplate/array-to-pointer-decay.cpp?rev=183359&r1=183358&r2=183359&view=diff</a><br>


==============================================================================<br>

--- cfe/trunk/test/SemaTemplate/array-to-pointer-decay.cpp (original)<br>

+++ cfe/trunk/test/SemaTemplate/array-to-pointer-decay.cpp Wed Jun  5 19:19:36 2013<br>

@@ -24,3 +24,15 @@ template <typename Type> static bool san<br>

   return !c->start;<br>

 }<br>

 bool closure = sanitize<int>();<br>

+<br>

+// PR16206<br>

+typedef struct {<br>

+       char x[4];<br>

+} chars;<br>

+<br>

+chars getChars();<br>

+void use(char *);<br>

+<br>

+void test() {<br>

+       use(getChars().x);<br>

+}<br>

<br>

<br>

_______________________________________________<br>

cfe-commits mailing list<br>

<a href="mailto:cfe-commits@cs.uiuc.edu">cfe-commits@cs.uiuc.edu</a><br>

<a href="http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits</a><br>

</blockquote></div><br>