r260066 - [analyzer] Avoid crash when attempting to evaluate binary operation on LazyCompoundVal.

Devin Coughlin via cfe-commits cfe-commits at lists.llvm.org
Sun Feb 7 16:28:24 PST 2016 

Author: dcoughlin
Date: Sun Feb  7 18:28:24 2016
New Revision: 260066

URL: http://llvm.org/viewvc/llvm-project?rev=260066&view=rev
Log:
[analyzer] Avoid crash when attempting to evaluate binary operation on LazyCompoundVal.

Instead, return UnknownValue if either operand is a nonloc::LazyCompoundVal. This is a
spot fix for PR 24951.

rdar://problem/23682244

Modified:
    cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp
    cfe/trunk/test/Analysis/string.c

Modified: cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp?rev=260066&r1=260065&r2=260066&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp Sun Feb  7 18:28:24 2016
@@ -367,6 +367,11 @@ SVal SValBuilder::evalBinOp(ProgramState
   if (lhs.isUnknown() || rhs.isUnknown())
     return UnknownVal();
 
+  if (lhs.getAs<nonloc::LazyCompoundVal>() ||
+      rhs.getAs<nonloc::LazyCompoundVal>()) {
+    return UnknownVal();
+  }
+
   if (Optional<Loc> LV = lhs.getAs<Loc>()) {
     if (Optional<Loc> RV = rhs.getAs<Loc>())
       return evalBinOpLL(state, op, *LV, *RV, type);

Modified: cfe/trunk/test/Analysis/string.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/string.c?rev=260066&r1=260065&r2=260066&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/string.c (original)
+++ cfe/trunk/test/Analysis/string.c Sun Feb  7 18:28:24 2016
@@ -756,6 +756,20 @@ void strcmp_unknown_arg (char *unknown)
 	clang_analyzer_eval(strcmp(unknown, unknown) == 0); // expected-warning{{TRUE}}
 }
 
+union argument {
+   char *f;
+};
+
+void function_pointer_cast_helper(char **a) {
+  strcmp("Hi", *a); // PR24951 crash
+}
+
+void strcmp_union_function_pointer_cast(union argument a) {
+  void (*fPtr)(union argument *) = (void (*)(union argument *))function_pointer_cast_helper;
+
+  fPtr(&a);
+}
+
 //===----------------------------------------------------------------------===
 // strncmp()
 //===----------------------------------------------------------------------===

More information about the cfe-commits mailing list