[PATCH] D63720: [analyzer] ExprEngine: Escape pointers in bitwise operations

Csaba Dabis via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Mon Jun 24 09:43:55 PDT 2019 

Charusso added a comment.

These bitwise operations only affects the part which we do not analyze. My previous approach to solve this problem caused one false positive, so we should be that strict. Just in case for the future developments, copy-pasted here:

  // If we have a bitwise operation (e.g. checking low-bits) of a pointer    
  // we would like to keep the pointer to work with it later. Otherwise it  
  // would be an Unknown value after evaluation and we would lost tracking.  
  if (B->isBitwiseOp()) {                                                    
    bool IsLhsPtr = false, IsRhsPtr = false;                                
    const MemRegion *LeftMR = nullptr, *RightMR = nullptr;                  
                                                                             
    if ((LeftMR = LeftV.getAsRegion()))                                      
      IsLhsPtr = LeftMR->getSymbolicBase();                                  
    if ((RightMR = RightV.getAsRegion()))                                    
      IsRhsPtr = RightMR->getSymbolicBase();                                
                                                                             
    // If only one of the operands is a pointer we should keep it.          
    if (IsLhsPtr ^ IsRhsPtr) {                                              
      SVal KeepV = IsLhsPtr ? LeftV : RightV;                                
      state = state->BindExpr(B, LCtx, KeepV);                              
      Bldr.generateNode(B, *it, state);                                      
      continue;                                                              
    }                                                                        
                                                                             
    // If both of the operands are pointers we would like to keep the one    
    // which dominates. Treat the lower-level pointer as a helper to set up  
    // some low-bits of the higher-level pointer and keep the latter.        
    if (IsLhsPtr && IsRhsPtr) {                                              
      bool IsLhsDominates = false, IsRhsDominates = false;                  
                                                                             
      if (const MemRegion *LeftBase = LeftMR->getBaseRegion())              
        if (const MemSpaceRegion *LeftMS = LeftBase->getMemorySpace())      
          IsLhsDominates = isa<HeapSpaceRegion>(LeftMS);                    
                                                                             
      if (const MemRegion *RightBase = RightMR->getBaseRegion())            
        if (const MemSpaceRegion *RightMS = RightBase->getMemorySpace())    
          IsRhsDominates = isa<HeapSpaceRegion>(RightMS);                    
                                                                             
      if (IsLhsDominates ^ IsRhsDominates) {                                
        SVal KeepDominatorV = IsLhsDominates ? LeftV : RightV;              
        state = state->BindExpr(B, LCtx, KeepDominatorV);                    
        Bldr.generateNode(B, *it, state);                                    
        continue;                                                            
      }                                                                      
    }                                                                        
  }


CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63720/new/

https://reviews.llvm.org/D63720

More information about the cfe-commits mailing list