[PATCH] D50509: [analyzer][UninitializedObjectChecker] Refactoring p6.: Move dereferencing to a function
Umann Kristóf via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Tue Aug 21 03:38:12 PDT 2018
Szelethus added inline comments.
================
Comment at: lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedPointee.cpp:223
+ // int*).
+ while (auto Tmp = V.getAs<loc::MemRegionVal>()) {
+ // We can't reason about symbolic regions, assume its initialized.
----------------
Szelethus wrote:
> NoQ wrote:
> > Szelethus wrote:
> > > NoQ wrote:
> > > > Hmm, i still have concerns about things like `int *x = (int *)&x;`. Why not just check the type to terminate the loop? Type hierarchy is guaranteed to be finite.
> > > There actually is a testcase for that -- it would create a nonloc::LocAsInteger, not a loc::MemRegionVal.
> > >
> > > I'll add a TODO to revisit this loop condition (again :) ).
> > Ok, let's try with one more asterisk:
> > ```
> > 1 void test() {
> > 2 int **x = (int **)&x;
> > 3 int *y = *x;
> > 4 int z = *y;
> > 5 }
> > ```
> >
> > Here's what i get in the Store:
> > ```
> > (x,0,direct) : &element{x,0 S64b,int *}
> > (y,0,direct) : &element{x,0 S64b,int *}
> > (z,0,direct) : &element{x,0 S64b,int *}
> > ```
> Sounds fun, I'll see how the checker behaves to these when I'm in the office.
Yup, you were correct, it ends up in an infinite loop. I'll add the testcase for it before commiting.
https://reviews.llvm.org/D50509
More information about the cfe-commits
mailing list