[cfe-commits] r47340 - in /cfe/trunk: Analysis/GRExprEngine.cpp include/clang/Analysis/PathSensitive/GRExprEngine.h
Ted Kremenek
kremenek at apple.com
Tue Feb 19 12:53:06 PST 2008
Author: kremenek
Date: Tue Feb 19 14:53:06 2008
New Revision: 47340
URL: http://llvm.org/viewvc/llvm-project?rev=47340&view=rev
Log:
Added special handling for UninitializedVals for the transfer function logic
for pointer dereferences.
Modified:
cfe/trunk/Analysis/GRExprEngine.cpp
cfe/trunk/include/clang/Analysis/PathSensitive/GRExprEngine.h
Modified: cfe/trunk/Analysis/GRExprEngine.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/Analysis/GRExprEngine.cpp?rev=47340&r1=47339&r2=47340&view=diff
==============================================================================
--- cfe/trunk/Analysis/GRExprEngine.cpp (original)
+++ cfe/trunk/Analysis/GRExprEngine.cpp Tue Feb 19 14:53:06 2008
@@ -642,6 +642,17 @@
const RValue& V = GetValue(St, U->getSubExpr());
const LValue& L1 = cast<LValue>(V);
+ if (isa<UninitializedVal>(L1)) {
+ NodeTy* N = Builder->generateNode(U, St, N1);
+
+ if (N) {
+ N->markAsSink();
+ UninitDeref.insert(N);
+ }
+
+ return;
+ }
+
// After a dereference, one of two possible situations arise:
// (1) A crash, because the pointer was NULL.
// (2) The pointer is not NULL, and the dereference works.
@@ -776,6 +787,11 @@
break;
}
+ if (isa<UninitializedVal>(V2)) {
+ Nodify(Dst, B, N2, SetValue(SetValue(St, B, V2), L1, V2));
+ break;
+ }
+
RValue Result = cast<NonLValue>(UnknownVal());
if (Op >= BinaryOperator::AndAssign)
@@ -1232,6 +1248,7 @@
if (GraphPrintCheckerState->isImplicitNullDeref(N) ||
GraphPrintCheckerState->isExplicitNullDeref(N) ||
+ GraphPrintCheckerState->isUninitDeref(N) ||
GraphPrintCheckerState->isUninitStore(N) ||
GraphPrintCheckerState->isUninitControlFlow(N))
return "color=\"red\",style=\"filled\"";
@@ -1268,6 +1285,9 @@
else if (GraphPrintCheckerState->isExplicitNullDeref(N)) {
Out << "\\|Explicit-Null Dereference.\\l";
}
+ else if (GraphPrintCheckerState->isUninitDeref(N)) {
+ Out << "\\|Dereference of uninitialied value.\\l";
+ }
else if (GraphPrintCheckerState->isUninitStore(N)) {
Out << "\\|Store to Uninitialized LValue.";
}
Modified: cfe/trunk/include/clang/Analysis/PathSensitive/GRExprEngine.h
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/Analysis/PathSensitive/GRExprEngine.h?rev=47340&r1=47339&r2=47340&view=diff
==============================================================================
--- cfe/trunk/include/clang/Analysis/PathSensitive/GRExprEngine.h (original)
+++ cfe/trunk/include/clang/Analysis/PathSensitive/GRExprEngine.h Tue Feb 19 14:53:06 2008
@@ -121,9 +121,10 @@
/// ImplicitNullDeref - Nodes in the ExplodedGraph that result from
/// taking a dereference on a symbolic pointer that may be NULL.
- typedef llvm::SmallPtrSet<NodeTy*,5> NullDerefTy;
- NullDerefTy ImplicitNullDeref;
- NullDerefTy ExplicitNullDeref;
+ typedef llvm::SmallPtrSet<NodeTy*,5> BadDerefTy;
+ BadDerefTy ImplicitNullDeref;
+ BadDerefTy ExplicitNullDeref;
+ BadDerefTy UninitDeref;
bool StateCleaned;
@@ -187,7 +188,11 @@
return N->isSink() && ExplicitNullDeref.count(const_cast<NodeTy*>(N)) != 0;
}
- typedef NullDerefTy::iterator null_iterator;
+ bool isUninitDeref(const NodeTy* N) const {
+ return N->isSink() && UninitDeref.count(const_cast<NodeTy*>(N)) != 0;
+ }
+
+ typedef BadDerefTy::iterator null_iterator;
null_iterator null_begin() { return ExplicitNullDeref.begin(); }
null_iterator null_end() { return ExplicitNullDeref.end(); }
More information about the cfe-commits
mailing list