[PATCH] D31289: [analyzer] Fix symbolication for unknown unary increment/decrement results.
Artem Dergachev via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Thu Mar 23 09:06:52 PDT 2017
NoQ created this revision.
If result of an unary increment or decrement is unknown, conjure a symbol to represent it based on the operator expression, not on the sub-expression.
In this particular test case, result of a LocAsInteger increment is unknown, and it gets symbolicated to an `int *`-type symbol, because sub-expression is an lvalue. This causes a crash later when we're trying to compare a Loc and a NonLoc.
https://reviews.llvm.org/D31289
Files:
lib/StaticAnalyzer/Core/ExprEngineC.cpp
test/Analysis/casts.c
Index: test/Analysis/casts.c
===================================================================
--- test/Analysis/casts.c
+++ test/Analysis/casts.c
@@ -118,3 +118,8 @@
extern float globalFloat;
clang_analyzer_eval(globalFloat); // expected-warning{{UNKNOWN}}
}
+
+void locAsIntegerCasts(void *p) {
+ int x = (int) p;
+ clang_analyzer_eval(++x < 10); // no-crash // expected-warning{{UNKNOWN}}
+}
Index: lib/StaticAnalyzer/Core/ExprEngineC.cpp
===================================================================
--- lib/StaticAnalyzer/Core/ExprEngineC.cpp
+++ lib/StaticAnalyzer/Core/ExprEngineC.cpp
@@ -1054,7 +1054,7 @@
// Conjure a new symbol if necessary to recover precision.
if (Result.isUnknown()){
DefinedOrUnknownSVal SymVal =
- svalBuilder.conjureSymbolVal(nullptr, Ex, LCtx,
+ svalBuilder.conjureSymbolVal(nullptr, U, LCtx,
currBldrCtx->blockCount());
Result = SymVal;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D31289.92812.patch
Type: text/x-patch
Size: 967 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20170323/73f7746c/attachment.bin>
More information about the cfe-commits
mailing list