r193265 - [analyzer] Generate a LazyCompoundVal when loading from a union-typed region.
Jordan Rose
jordan_rose at apple.com
Wed Oct 23 13:08:55 PDT 2013
Author: jrose
Date: Wed Oct 23 15:08:55 2013
New Revision: 193265
URL: http://llvm.org/viewvc/llvm-project?rev=193265&view=rev
Log:
[analyzer] Generate a LazyCompoundVal when loading from a union-typed region.
This ensures that variables accessible through a union are invalidated when
the union value is passed to a function. We still don't fully handle union
values, but this should at least quiet some false positives.
PR16596
Modified:
cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp
cfe/trunk/test/Analysis/unions.cpp
Modified: cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp?rev=193265&r1=193264&r2=193265&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp Wed Oct 23 15:08:55 2013
@@ -1312,7 +1312,7 @@ SVal RegionStoreManager::getBinding(Regi
// FIXME: Handle unions.
if (RTy->isUnionType())
- return UnknownVal();
+ return createLazyBinding(B, R);
if (RTy->isArrayType()) {
if (RTy->isConstantArrayType())
@@ -1906,6 +1906,8 @@ RegionStoreManager::bind(RegionBindingsC
return bindStruct(B, TR, V);
if (Ty->isVectorType())
return bindVector(B, TR, V);
+ if (Ty->isUnionType())
+ return bindAggregate(B, TR, V);
}
if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) {
Modified: cfe/trunk/test/Analysis/unions.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/unions.cpp?rev=193265&r1=193264&r2=193265&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/unions.cpp (original)
+++ cfe/trunk/test/Analysis/unions.cpp Wed Oct 23 15:08:55 2013
@@ -1,5 +1,7 @@
-// RUN: %clang_cc1 -analyze -analyzer-checker=core %s -verify
-// expected-no-diagnostics
+// RUN: %clang_cc1 -analyze -analyzer-checker=core,unix.Malloc,debug.ExprInspection %s -verify
+
+extern void clang_analyzer_eval(bool);
+extern "C" char *strdup(const char *s);
namespace PR14054_reduced {
struct Definition;
@@ -49,3 +51,58 @@ namespace PR14054_original {
x = pn->pn_u.name.lexdef->pn_u.name.lexdef;
}
}
+
+namespace PR17596 {
+ union IntOrString {
+ int i;
+ char *s;
+ };
+
+ extern void process(IntOrString);
+
+ void test() {
+ IntOrString uu;
+ uu.s = strdup("");
+ process(uu);
+ }
+
+ void testPositive() {
+ IntOrString uu;
+ uu.s = strdup("");
+ } // expected-warning{{leak}}
+
+ void testCopy() {
+ IntOrString uu;
+ uu.i = 4;
+ clang_analyzer_eval(uu.i == 4); // expected-warning{{TRUE}}
+
+ IntOrString vv;
+ vv.i = 5;
+ uu = vv;
+ // FIXME: Should be true.
+ clang_analyzer_eval(uu.i == 5); // expected-warning{{UNKNOWN}}
+ }
+
+ void testInvalidation() {
+ IntOrString uu;
+ uu.s = strdup("");
+
+ IntOrString vv;
+ char str[] = "abc";
+ vv.s = str;
+
+ // FIXME: This is a leak of uu.s.
+ uu = vv;
+ }
+
+ void testIndirectInvalidation() {
+ IntOrString uu;
+ char str[] = "abc";
+ uu.s = str;
+
+ clang_analyzer_eval(uu.s[0] == 'a'); // expected-warning{{TRUE}}
+
+ process(uu);
+ clang_analyzer_eval(uu.s[0] == 'a'); // expected-warning{{UNKNOWN}}
+ }
+}
More information about the cfe-commits
mailing list