[cfe-commits] r162495 - in /cfe/trunk: lib/StaticAnalyzer/Core/ExprEngine.cpp lib/StaticAnalyzer/Core/ExprEngineC.cpp test/Analysis/pointer-to-member.cpp
Jordan Rose
jordan_rose at apple.com
Thu Aug 23 16:01:43 PDT 2012
Author: jrose
Date: Thu Aug 23 18:01:43 2012
New Revision: 162495
URL: http://llvm.org/viewvc/llvm-project?rev=162495&view=rev
Log:
[analyzer] For now, treat pointers-to-members as non-null void * symbols.
Until we have full support for pointers-to-members, we can at least
approximate some of their use by tracking null and non-null values.
We thus treat &A::m_ptr as a non-null void * symbol, and MemberPointer(0)
as a pointer-sized null constant.
This enables support for what is sometimes called the "safe bool" idiom,
demonstrated in the test case.
Added:
cfe/trunk/test/Analysis/pointer-to-member.cpp
Modified:
cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp
cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp
Modified: cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp?rev=162495&r1=162494&r2=162495&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp Thu Aug 23 18:01:43 2012
@@ -1428,7 +1428,12 @@
}
if (isa<FieldDecl>(D)) {
// FIXME: Compute lvalue of field pointers-to-member.
- Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, UnknownVal()), 0,
+ // Right now we just use a non-null void pointer, so that it gives proper
+ // results in boolean contexts.
+ SVal V = svalBuilder.conjureSymbolVal(Ex, LCtx, getContext().VoidPtrTy,
+ currBldrCtx->blockCount());
+ state = state->assume(cast<DefinedOrUnknownSVal>(V), true);
+ Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), 0,
ProgramPoint::PostLValueKind);
return;
}
Modified: cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp?rev=162495&r1=162494&r2=162495&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp Thu Aug 23 18:01:43 2012
@@ -274,6 +274,9 @@
Bldr.generateNode(CastE, Pred, state);
continue;
}
+ case CK_MemberPointerToBoolean:
+ // FIXME: For now, member pointers are represented by void *.
+ // FALLTHROUGH
case CK_Dependent:
case CK_ArrayToPointerDecay:
case CK_BitCast:
@@ -359,16 +362,21 @@
Bldr.generateNode(CastE, Pred, state);
continue;
}
+ case CK_NullToMemberPointer: {
+ // FIXME: For now, member pointers are represented by void *.
+ SVal V = svalBuilder.makeIntValWithPtrWidth(0, true);
+ state = state->BindExpr(CastE, LCtx, V);
+ Bldr.generateNode(CastE, Pred, state);
+ continue;
+ }
// Various C++ casts that are not handled yet.
case CK_ToUnion:
case CK_BaseToDerived:
- case CK_NullToMemberPointer:
case CK_BaseToDerivedMemberPointer:
case CK_DerivedToBaseMemberPointer:
case CK_ReinterpretMemberPointer:
case CK_ConstructorConversion:
case CK_VectorSplat:
- case CK_MemberPointerToBoolean:
case CK_LValueBitCast: {
// Recover some path-sensitivty by conjuring a new value.
QualType resultType = CastE->getType();
Added: cfe/trunk/test/Analysis/pointer-to-member.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/pointer-to-member.cpp?rev=162495&view=auto
==============================================================================
--- cfe/trunk/test/Analysis/pointer-to-member.cpp (added)
+++ cfe/trunk/test/Analysis/pointer-to-member.cpp Thu Aug 23 18:01:43 2012
@@ -0,0 +1,44 @@
+// RUN: %clang_cc1 -analyze -analyzer-checker=core,debug.ExprInspection -analyzer-ipa=inlining -verify %s
+
+void clang_analyzer_eval(bool);
+
+struct A {
+ // This conversion operator allows implicit conversion to bool but not to other integer types.
+ typedef A * (A::*MemberPointer);
+ operator MemberPointer() const { return m_ptr ? &A::m_ptr : 0; }
+
+ A *m_ptr;
+};
+
+void testConditionalUse() {
+ A obj;
+
+ obj.m_ptr = &obj;
+ clang_analyzer_eval(obj.m_ptr); // expected-warning{{TRUE}}
+ clang_analyzer_eval(&A::m_ptr); // expected-warning{{TRUE}}
+ clang_analyzer_eval(obj); // expected-warning{{TRUE}}
+
+ obj.m_ptr = 0;
+ clang_analyzer_eval(obj.m_ptr); // expected-warning{{FALSE}}
+ clang_analyzer_eval(A::MemberPointer(0)); // expected-warning{{FALSE}}
+ clang_analyzer_eval(obj); // expected-warning{{FALSE}}
+}
+
+// ---------------
+// FALSE NEGATIVES
+// ---------------
+
+bool testDereferencing() {
+ A obj;
+ obj.m_ptr = 0;
+
+ A::MemberPointer member = &A::m_ptr;
+
+ // FIXME: Should be TRUE.
+ clang_analyzer_eval(obj.*member == 0); // expected-warning{{UNKNOWN}}
+
+ member = 0;
+
+ // FIXME: Should emit a null dereference.
+ return obj.*member; // no-warning
+}
More information about the cfe-commits
mailing list