[cfe-commits] r164441 - in /cfe/trunk: lib/StaticAnalyzer/Core/ExprEngine.cpp test/Analysis/fields.c test/Analysis/nullptr.cpp
Jordan Rose
jordan_rose at apple.com
Fri Sep 21 18:24:33 PDT 2012
Author: jrose
Date: Fri Sep 21 20:24:33 2012
New Revision: 164441
URL: http://llvm.org/viewvc/llvm-project?rev=164441&view=rev
Log:
[analyzer] Check that a member expr is valid even when the result is an lvalue.
We want to catch cases like this early, so that we can produce better
diagnostics and path notes:
Point *p = 0;
int *px = &p->x; // should warn here
*px = 1;
Modified:
cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp
cfe/trunk/test/Analysis/fields.c
cfe/trunk/test/Analysis/nullptr.cpp
Modified: cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp?rev=164441&r1=164440&r2=164441&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp Fri Sep 21 20:24:33 2012
@@ -1515,22 +1515,30 @@
return;
}
- // FIXME: Should we insert some assumption logic in here to determine
- // if "Base" is a valid piece of memory? Before we put this assumption
- // later when using FieldOffset lvals (which we no longer have).
-
// For all other cases, compute an lvalue.
SVal L = state->getLValue(field, baseExprVal);
if (M->isGLValue()) {
+ ExplodedNodeSet Tmp;
+ Bldr.takeNodes(Pred);
+ evalLocation(Tmp, M, M, Pred, state, baseExprVal,
+ /*Tag=*/0, /*isLoad=*/true);
+ Bldr.addNodes(Tmp);
+
+ const MemRegion *ReferenceRegion = 0;
if (field->getType()->isReferenceType()) {
- if (const MemRegion *R = L.getAsRegion())
- L = state->getSVal(R);
- else
+ ReferenceRegion = L.getAsRegion();
+ if (!ReferenceRegion)
L = UnknownVal();
}
- Bldr.generateNode(M, Pred, state->BindExpr(M, LCtx, L), 0,
- ProgramPoint::PostLValueKind);
+ for (ExplodedNodeSet::iterator I = Tmp.begin(), E = Tmp.end(); I != E; ++I){
+ state = (*I)->getState();
+ if (ReferenceRegion)
+ L = state->getSVal(ReferenceRegion);
+
+ Bldr.generateNode(M, (*I), state->BindExpr(M, LCtx, L), 0,
+ ProgramPoint::PostLValueKind);
+ }
} else {
Bldr.takeNodes(Pred);
evalLoad(Dst, M, M, Pred, state, L);
Modified: cfe/trunk/test/Analysis/fields.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/fields.c?rev=164441&r1=164440&r2=164441&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/fields.c (original)
+++ cfe/trunk/test/Analysis/fields.c Fri Sep 21 20:24:33 2012
@@ -26,3 +26,10 @@
Point p;
(void)(p = getit()).x;
}
+
+
+void testNullAddress() {
+ Point *p = 0;
+ int *px = &p->x; // expected-warning{{Access to field 'x' results in a dereference of a null pointer (loaded from variable 'p')}}
+ *px = 1; // No warning because analysis stops at the previous line.
+}
Modified: cfe/trunk/test/Analysis/nullptr.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/nullptr.cpp?rev=164441&r1=164440&r2=164441&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/nullptr.cpp (original)
+++ cfe/trunk/test/Analysis/nullptr.cpp Fri Sep 21 20:24:33 2012
@@ -23,10 +23,11 @@
};
char *np = nullptr;
// casting a nullptr to anything should be caught eventually
- int *ip = &(((struct foo *)np)->f);
- *ip = 0; // expected-warning{{Dereference of null pointer}}
- // should be error here too, but analysis gets stopped
-// *np = 0;
+ int *ip = &(((struct foo *)np)->f); // expected-warning{{Access to field 'f' results in a dereference of a null pointer (loaded from variable 'np')}}
+
+ // Analysis stops at the first problem case, so we won't actually warn here.
+ *ip = 0;
+ *np = 0;
}
// nullptr is implemented as a zero integer value, so should be able to compare
More information about the cfe-commits
mailing list