[PATCH] D89055: [analyzer] Wrong type cast occures during pointer dereferencing after type punning
Denys Petrov via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Mon Oct 12 07:17:30 PDT 2020
ASDenysPetrov updated this revision to Diff 297579.
ASDenysPetrov added a comment.
Updat patch due to suggestions and fixed formating.
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D89055/new/
https://reviews.llvm.org/D89055
Files:
clang/lib/StaticAnalyzer/Core/Store.cpp
clang/test/Analysis/nonloc-as-loc-crash.c
clang/test/Analysis/string.c
Index: clang/test/Analysis/string.c
===================================================================
--- clang/test/Analysis/string.c
+++ clang/test/Analysis/string.c
@@ -363,6 +363,14 @@
strcpy(x, y); // no-warning
}
+// PR37503
+void *get_void_ptr();
+char ***type_punned_ptr;
+void strcpy_no_assertion(char c) {
+ *(unsigned char **)type_punned_ptr = (unsigned char *)(get_void_ptr());
+ strcpy(**type_punned_ptr, &c); // no-crash
+}
+
//===----------------------------------------------------------------------===
// stpcpy()
//===----------------------------------------------------------------------===
Index: clang/test/Analysis/nonloc-as-loc-crash.c
===================================================================
--- /dev/null
+++ clang/test/Analysis/nonloc-as-loc-crash.c
@@ -0,0 +1,12 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core -verify %s
+// expected-no-diagnostics
+
+void test(int *a, char ***b, float *c) {
+ *(unsigned char **)b = (unsigned char *)a;
+ if (**b == 0) // no-crash
+ ;
+
+ *(unsigned char **)b = (unsigned char *)c;
+ if (**b == 0) // no-crash
+ ;
+}
Index: clang/lib/StaticAnalyzer/Core/Store.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Core/Store.cpp
+++ clang/lib/StaticAnalyzer/Core/Store.cpp
@@ -426,12 +426,17 @@
// We might need to do that for non-void pointers as well.
// FIXME: We really need a single good function to perform casts for us
// correctly every time we need it.
- if (castTy->isPointerType() && !castTy->isVoidPointerType())
+ if (castTy->isPointerType() && !castTy->isVoidPointerType()) {
if (const auto *SR = dyn_cast_or_null<SymbolicRegion>(V.getAsRegion())) {
QualType sr = SR->getSymbol()->getType();
if (!hasSameUnqualifiedPointeeType(sr, castTy))
- return loc::MemRegionVal(castRegion(SR, castTy));
+ return loc::MemRegionVal(castRegion(SR, castTy));
}
+ // Next fixes pointer dereference using type different from its initial one
+ // See PR37503 for details
+ if (const auto *SR = dyn_cast_or_null<ElementRegion>(V.getAsRegion()))
+ return loc::MemRegionVal(castRegion(SR, castTy));
+ }
return svalBuilder.dispatchCast(V, castTy);
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D89055.297579.patch
Type: text/x-patch
Size: 2266 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20201012/bb05a308/attachment.bin>
More information about the cfe-commits
mailing list