[PATCH] D28278: [StaticAnalyzer] dont show wrong 'garbage value' warning when there is array index out of bounds
Daniel Marjamäki via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Mon Feb 27 02:56:12 PST 2017
This revision was automatically updated to reflect the committed changes.
Closed by commit rL296326: [analyzer] clarify 'result is garbage value' when it is out of bounds (authored by danielmarjamaki).
Changed prior to commit:
https://reviews.llvm.org/D28278?vs=89641&id=89854#toc
Repository:
rL LLVM
https://reviews.llvm.org/D28278
Files:
cfe/trunk/lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp
cfe/trunk/test/Analysis/uninit-vals-ps.c
Index: cfe/trunk/test/Analysis/uninit-vals-ps.c
===================================================================
--- cfe/trunk/test/Analysis/uninit-vals-ps.c
+++ cfe/trunk/test/Analysis/uninit-vals-ps.c
@@ -57,6 +57,12 @@
return s.x; // no-warning
}
+void f6(int x) {
+ int a[20];
+ if (x == 25) {}
+ if (a[x] == 123) {} // expected-warning{{The left operand of '==' is a garbage value due to array index out of bounds}}
+}
+
int ret_uninit() {
int i;
int *p = &i;
Index: cfe/trunk/lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp
===================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp
@@ -35,6 +35,30 @@
};
} // end anonymous namespace
+static bool isArrayIndexOutOfBounds(CheckerContext &C, const Expr *Ex) {
+ ProgramStateRef state = C.getState();
+ const LocationContext *LCtx = C.getLocationContext();
+
+ if (!isa<ArraySubscriptExpr>(Ex))
+ return false;
+
+ SVal Loc = state->getSVal(Ex, LCtx);
+ if (!Loc.isValid())
+ return false;
+
+ const MemRegion *MR = Loc.castAs<loc::MemRegionVal>().getRegion();
+ const ElementRegion *ER = dyn_cast<ElementRegion>(MR);
+ if (!ER)
+ return false;
+
+ DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
+ DefinedOrUnknownSVal NumElements = C.getStoreManager().getSizeInElements(
+ state, ER->getSuperRegion(), ER->getValueType());
+ ProgramStateRef StInBound = state->assumeInBound(Idx, NumElements, true);
+ ProgramStateRef StOutBound = state->assumeInBound(Idx, NumElements, false);
+ return StOutBound && !StInBound;
+}
+
void UndefResultChecker::checkPostStmt(const BinaryOperator *B,
CheckerContext &C) const {
ProgramStateRef state = C.getState();
@@ -77,6 +101,8 @@
<< " operand of '"
<< BinaryOperator::getOpcodeStr(B->getOpcode())
<< "' is a garbage value";
+ if (isArrayIndexOutOfBounds(C, Ex))
+ OS << " due to array index out of bounds";
}
else {
// Neither operand was undefined, but the result is undefined.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D28278.89854.patch
Type: text/x-patch
Size: 2190 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20170227/4df18e78/attachment.bin>
More information about the cfe-commits
mailing list