[cfe-dev] [Analyzer] Obtain MemRegion corresponding to an pointer expression that has been cast to a different type
scott constable via cfe-dev
cfe-dev at lists.llvm.org
Wed Aug 19 08:44:42 PDT 2015
Hi All,
I'm analyzing something like the following code:
struct S {
int a;
char b;
int c;
}
void foo() {
struct S x;
bar((uint8_t *)&x);
}
When I reach the CallEvent corresponding to the call to bar(), I would like
to extract the MemRegion corresponding to x, i.e. by ignoring the (uint8_t
*) cast. My code looks something like this:
const Expr *arg = Call.getArgExpr(0);
SVal addrVal = State->getSVal(arg, LCtx);
Optional<Loc> l = addrVal.getAs<Loc>();
if (!l) // must be a null pointer
return nullptr;
QualType T = getPointedToType(E);
return State->getSVal(*l, T).getAsRegion();
where getPointedToType() is defined as
getPointedToType(const Expr *E) {
assert(E);
if (!isPointer(E))
return QualType();
if (const CastExpr *cast = dyn_cast<CastExpr>(E))
return getPointedToType(cast->getSubExpr());
const PointerType *Ty =
dyn_cast<PointerType>(E->getType().getCanonicalType().getTypePtr());
if (Ty)
return Ty->getPointeeType();
return QualType();
}
Everything seems to work just fine, until the call to State->getSVal(*l,
T), which returns a NonLoc. If I instead call State->getSVal(*l) without
the pointed-to type, then I do get a MemRegion, but it's an element region
of type uint_8, NOT what I want.
Am I doing something wrong? Is there a much easier way to do this?
~Scott Constable
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20150819/76b1ce11/attachment.html>
More information about the cfe-dev
mailing list