[cfe-commits] r61147 - in /cfe/trunk: lib/Analysis/CFRefCount.cpp test/Analysis/uninit-vals-ps.c

Zhongxing Xu xuzhongxing at gmail.com
Mon Mar 9 22:48:12 PDT 2009 

On Tue, Mar 10, 2009 at 5:54 AM, Ted Kremenek <kremenek at apple.com> wrote:

> On Mar 9, 2009, at 2:41 AM, Zhongxing Xu wrote:
>
>  Hi Ted,
>>
>> This patch report false warning on this test case:
>>
>> #include <sys/socket.h>
>> void f(int sock) {
>>  struct sockaddr_storage storage;
>>  struct sockaddr* sockaddr = (struct sockaddr*)&storage;
>>  socklen_t addrlen = sizeof(storage);
>>  getsockname(sock, sockaddr, &addrlen);
>>  switch (sockaddr->sa_family) {
>>  default:
>>    ;
>>  }
>> }
>>
>> $ clang -analyze -analyzer-store=region -checker-cfref 1.c
>> 1.c:7:3: warning: Branch condition evaluates to an uninitialized value.
>>  switch (sockaddr->sa_family) {
>>  ^       ~~~~~~~~~~~~~~~~~~~
>> 1 diagnostic generated.
>>
>> Perhaps we should not 'blast through' TypedViewRegion?
>>
>
> The motivation for ignoring the TypedViewRegions has to do with typedefs.
>  Conceptually we want to handle bindings through typedefs and the desugared
> type as the same:
>
> typedef struct s* MyPointer;
>
> MyPointer *p = foo();
> p->f = ...
> struct s* q = p;
> ... = q->f;
>
> Here 'p' will bind to a TypedViewRegion that wraps a SymbolicRegion.
>
> Depending on the return type of foo() (i.e., if it is 'void*' or 'struct
> s*') then 'q' should bind either to a TypedViewRegion or a SymbolicRegion
> with type 'struct s*'.
>
> In this case, we should be reasoning about the same locations for 'q->f'
> and 'p->f'.
>
> I admit that this work should probably happen in RegionStore.  Indeed, all
> invalidation of values should probably go directly through the StoreManager
> at some point.
>
> The issue here is that some type views are "sugar" and others change the
> nature of the binding (e.g., layerind "struct s*' on top of 'void*').
>
> Perhaps we can add a "SugarTypedRegion" (or something with a better name)
> to represent region views that are just sugar but don't change the
> semantics?  This could be useful for RegionStore to help canonicalize the
> names of locations.  Alternatively, the StoreManager can implement a method
> called "getCanonicalRegion()" to to transform a MemRegion* into its
> canonical version that is used for binding values.
>

Hi Ted,

We don't have any casts for this example. So why would p and q point to
different region?

typedef struct s* MyPointer;

struct s* foo();

void bar() {
  MyPointer p = foo();
  struct s* q = p;
}

$ clang -ast-dump 1.c
(CompoundStmt 0x986bba8 <1.c:5:12, line:11:1>
  (DeclStmt 0x986cc98 <line:7:3>
    0x986c878 "MyPointer p =
      (CallExpr 0x986cc78 <col:17, col:21> 'struct s *'
        (ImplicitCastExpr 0x986cc58 <col:17> 'struct s *(*)()'
          (DeclRefExpr 0x986cc20 <col:17> 'struct s *()' FunctionDecl='foo'
0x986c830)))"
  (DeclStmt 0x986cd00 <line:9:3>
    0x986ccb0 "struct s *q =
      (DeclRefExpr 0x986cce0 <col:17> 'MyPointer':'struct s *' Var='p'
0x986c878)")
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20090310/0cb246e2/attachment.html>

More information about the cfe-commits mailing list