r319333 - [analyzer] Fix unreachable creating PathDiagnosticLocation with widen-loops=true

Devin Coughlin via cfe-commits cfe-commits at lists.llvm.org
Wed Nov 29 10:25:37 PST 2017 

Author: dcoughlin
Date: Wed Nov 29 10:25:37 2017
New Revision: 319333

URL: http://llvm.org/viewvc/llvm-project?rev=319333&view=rev
Log:
[analyzer] Fix unreachable creating PathDiagnosticLocation with widen-loops=true

In the original design of the analyzer, it was assumed that a BlockEntrance
doesn't create a new binding on the Store, but this assumption isn't true when
'widen-loops' is set to true. Fix this by finding an appropriate location
BlockEntrace program points.

Patch by Henry Wong!

Differential Revision: https://reviews.llvm.org/D37187

Added:
    cfe/trunk/test/Analysis/loop-widening-notes.cpp
Modified:
    cfe/trunk/lib/StaticAnalyzer/Core/PathDiagnostic.cpp

Modified: cfe/trunk/lib/StaticAnalyzer/Core/PathDiagnostic.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/PathDiagnostic.cpp?rev=319333&r1=319332&r2=319333&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/PathDiagnostic.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/PathDiagnostic.cpp Wed Nov 29 10:25:37 2017
@@ -690,6 +690,15 @@ PathDiagnosticLocation::create(const Pro
     return getLocationForCaller(CEE->getCalleeContext(),
                                 CEE->getLocationContext(),
                                 SMng);
+  } else if (Optional<BlockEntrance> BE = P.getAs<BlockEntrance>()) {
+    CFGElement BlockFront = BE->getBlock()->front();
+    if (auto StmtElt = BlockFront.getAs<CFGStmt>()) {
+      return PathDiagnosticLocation(StmtElt->getStmt()->getLocStart(), SMng);
+    } else if (auto NewAllocElt = BlockFront.getAs<CFGNewAllocator>()) {
+      return PathDiagnosticLocation(
+          NewAllocElt->getAllocatorExpr()->getLocStart(), SMng);
+    }
+    llvm_unreachable("Unexpected CFG element at front of block");
   } else {
     llvm_unreachable("Unexpected ProgramPoint");
   }

Added: cfe/trunk/test/Analysis/loop-widening-notes.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/loop-widening-notes.cpp?rev=319333&view=auto
==============================================================================
--- cfe/trunk/test/Analysis/loop-widening-notes.cpp (added)
+++ cfe/trunk/test/Analysis/loop-widening-notes.cpp Wed Nov 29 10:25:37 2017
@@ -0,0 +1,72 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha -analyzer-max-loop 2 -analyzer-config widen-loops=true -analyzer-output=text -verify %s
+
+int *p_a;
+int bar();
+int flag_a;
+int test_for_bug_25609() {
+  if (p_a == 0) // expected-note {{Assuming 'p_a' is equal to null}} 
+                // expected-note at -1 {{Taking true branch}}
+    bar();
+  for (int i = 0;  // expected-note {{Loop condition is true.  Entering loop body}}                    
+                   // expected-note at -1 {{Loop condition is false. Execution continues on line 16}}
+       ++i,        // expected-note {{Value assigned to 'p_a'}} 
+       i < flag_a;
+       ++i) {}
+                                      
+  *p_a = 25609; // no-crash expected-warning {{Dereference of null pointer (loaded from variable 'p_a')}}
+                // expected-note at -1 {{Dereference of null pointer (loaded from variable 'p_a')}}
+  return *p_a;
+}
+
+int flag_b;
+int while_analyzer_output() {
+  flag_b = 100;
+  int num = 10;
+  while (flag_b-- > 0) { // expected-note {{Loop condition is true.  Entering loop body}} 
+                         // expected-note at -1 {{Value assigned to 'num'}} 
+                         // expected-note at -2 {{Loop condition is false. Execution continues on line 30}}
+    num = flag_b;
+  }
+  if (num < 0) // expected-note {{Assuming 'num' is >= 0}} 
+               // expected-note at -1 {{Taking false branch}}
+    flag_b = 0;
+  else if (num >= 1) // expected-note {{Assuming 'num' is < 1}} 
+                     // expected-note at -1 {{Taking false branch}}
+    flag_b = 50;
+  else
+    flag_b = 100;
+  return flag_b / num; // no-crash expected-warning {{Division by zero}} 
+                       // expected-note at -1 {{Division by zero}}
+}
+
+int flag_c;
+int do_while_analyzer_output() {
+  int num = 10;
+  do {   // expected-note {{Loop condition is true. Execution continues on line 47}} 
+         // expected-note at -1 {{Loop condition is false.  Exiting loop}}
+    num--;
+  } while (flag_c-- > 0); //expected-note {{Value assigned to 'num'}}
+  int local = 0;
+  if (num == 0)       // expected-note {{Assuming 'num' is equal to 0}} 
+                      // expected-note at -1 {{Taking true branch}}
+    local = 10 / num; // no-crash expected-warning {{Division by zero}}
+                      // expected-note at -1 {{Division by zero}}
+  return local;
+}
+
+int flag_d;
+int test_for_loop() {
+  int num = 10;
+  for (int i = 0;    // expected-note {{Loop condition is true.  Entering loop body}} 
+                     // expected-note at -1 {{Loop condition is false. Execution continues on line 67}}
+       new int(10),  // expected-note {{Value assigned to 'num'}}
+       i < flag_d;
+       ++i) {         
+    ++num;
+  }
+  if (num == 0) // expected-note {{Assuming 'num' is equal to 0}} 
+                // expected-note at -1 {{Taking true branch}}
+    flag_d += 10;
+  return flag_d / num; // no-crash expected-warning {{Division by zero}} 
+                       // expected-note at -1 {{Division by zero}}
+}

More information about the cfe-commits mailing list