[PATCH] [analyzer][Bugfix] RegionStore: use pointee type to create one-element regions
Aleksei Sidorin
a.sidorin at samsung.com
Wed Aug 20 02:18:34 PDT 2014
Here is a sample test case:
```
char passAndModifyPtr(int *p) {
if (*p > 10) {
*p = 4;
return 0;
} else {
if (*p < 5) {
*p = 7;
return 1;
}
}
return 2;
}
```
And this code should be inserted in checkDeadSymbols() callback of some checker:
for (SymbolReaper::dead_iterator I = SymReaper.dead_begin(),
E = SymReaper.dead_end(); I != E; ++I) {
SymbolRef Sym = *I;
Sym->dump();
llvm::errs() << "\n";
// One of the symbols reaped is a value associated with *p
if (const SymbolRegionValue *V = dyn_cast<SymbolRegionValue>(Sym)) {
const MemRegion *MR = V->getRegion();
// one-element ElementRegion is created automatically
if (const ElementRegion *ER = dyn_cast<ElementRegion>(MR)) {
const MemRegion *BaseReg = ER->getBaseRegion();
// BaseReg is a SymRegion{reg_$0<p>}
// Its value should be nonloc::SymbolVal(Sym)
// i.e. reg_$1<element{SymRegion{reg_$0<p>},0 S32b,int}>
BaseReg->dump();
llvm::errs() << "\n";
State->getSVal(BaseReg).dump();// but wrong SVal is created here
}
}
}
SVal related to `*p` is `nonloc::SymbolVal(reg_$1<element{SymRegion{reg_$0<p>},0 S32b,int}>)`. The same value should be retrieved by `getSVal(SymRegion{reg_$0<p>})`. But the result of this action is `&SymRegion{reg_$2<element{SymRegion{reg_$0<p>},0 S32b,int *}>}` which seems to be incorrect.
http://reviews.llvm.org/D4974
More information about the cfe-commits
mailing list