[cfe-commits] [PATCH] Fix for PR7218, and analyzer support for calloc()

Sun May 30 15:16:22 PDT 2010

On May 30, 2010, at 3:03 PM, Ted Kremenek wrote:

> 
> On May 30, 2010, at 12:46 AM, Jordy Rose wrote:
> 
>> Binding a symbolic region whose type is a reference shows up when the
>> reference is an argument, like so:
>> 
>> char t3 (char& r) {
>> r = 'c';
>> if (r) return r;
>> return '0';
>> }
>> 
>> The reason for the SymbolicRegion section in canHaveDirectBinding(),
>> though, was originally more about having a way to set default values by
>> taking advantages of a fact about SymbolicRegions (if you're accessing them
>> directly, it's either *p or a reference, or an explicit call to Bind()),
>> not enforcing a rule.
> 
> I don't binding directly to the SymbolicRegion is the right way to handle references.  In this case, I'd expect 'r' to evaluate to:
> 
>  ElementRegion(SymbolicRegion, "char", 0)
> 
> and then the binding at:
> 
>  r = 'c'
> 
> binds to the ElementRegion.  There's no reason to special case references.  Indeed, we should be treating them just as pointers.  Consider:
> 
>  int *p = 0;
>  int &q = *p;
>  q = 1;
> 
> At the assignment to 'q' we still need do a null check, an out-of-bounds check, etc.
> 
> 

I should add that I'm originally the one who added the code that did the wrong thing:

  http://llvm.org/viewvc/llvm-project?view=rev&revision=91501

As for the code snippet in PR 7218:
  char broken (char a) {
      char buf[2];
      buf[0] = a;
      return buf[1]; // should warn but does not
  }
This should be fixed by detecting if we are going outside the bounds of the memory block.  I don't think this requires changing the binding model in RegionStoreManager.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20100530/1d12716a/attachment.html>