[cfe-commits] r131702 - in /cfe/trunk: lib/StaticAnalyzer/Core/RegionStore.cpp test/Analysis/misc-ps-region-store.cpp
Ted Kremenek
kremenek at apple.com
Thu May 19 16:37:58 PDT 2011
Author: kremenek
Date: Thu May 19 18:37:58 2011
New Revision: 131702
URL: http://llvm.org/viewvc/llvm-project?rev=131702&view=rev
Log:
Teach RegionStore not to symbolic array values whose indices it cannot reason about.
Modified:
cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp
cfe/trunk/test/Analysis/misc-ps-region-store.cpp
Modified: cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp?rev=131702&r1=131701&r2=131702&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp Thu May 19 18:37:58 2011
@@ -1063,6 +1063,11 @@
// return *y;
// FIXME: This is a hack, and doesn't do anything really intelligent yet.
const RegionRawOffset &O = R->getAsArrayOffset();
+
+ // If we cannot reason about the offset, return an unknown value.
+ if (!O.getRegion())
+ return UnknownVal();
+
if (const TypedRegion *baseR = dyn_cast_or_null<TypedRegion>(O.getRegion())) {
QualType baseT = baseR->getValueType();
if (baseT->isScalarType()) {
Modified: cfe/trunk/test/Analysis/misc-ps-region-store.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/misc-ps-region-store.cpp?rev=131702&r1=131701&r2=131702&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/misc-ps-region-store.cpp (original)
+++ cfe/trunk/test/Analysis/misc-ps-region-store.cpp Thu May 19 18:37:58 2011
@@ -395,3 +395,22 @@
return x; // no-warning
}
+// Test assigning into a symbolic offset.
+struct TestAssignIntoSymbolicOffset {
+ int **stuff[100];
+ void test(int x, int y);
+};
+
+void TestAssignIntoSymbolicOffset::test(int x, int y) {
+ x--;
+ if (x > 8 || x < 0)
+ return;
+ if (stuff[x])
+ return;
+ if (!stuff[x]) {
+ stuff[x] = new int*[y+1];
+ // Previously triggered a null dereference.
+ stuff[x][y] = 0; // no-warning
+ }
+}
+
More information about the cfe-commits
mailing list