[clang] [analyzer] Refine invalidation caused by `fread` (PR #93408)
DonĂ¡t Nagy via cfe-commits
cfe-commits at lists.llvm.org
Mon May 27 05:01:05 PDT 2024
================
@@ -937,8 +990,21 @@ void StreamChecker::evalFreadFwrite(const FnDescription *Desc,
// At read, invalidate the buffer in any case of error or success,
// except if EOF was already present.
- if (IsFread && !E.isStreamEof())
- State = escapeArgs(State, C, Call, {0});
+ if (IsFread && !E.isStreamEof()) {
+ // Try to invalidate the individual elements.
+ if (const auto *BufferFirstElem =
+ dyn_cast_or_null<ElementRegion>(Call.getArgSVal(0).getAsRegion())) {
----------------
NagyDonat wrote:
Why do we see an `ElementRegion` in the case when we're `fread`ing into the beginning of an array variable?
I see that the element region layer should be there if we did pointer arithmetic or if this is a symbolic region converted to a type; but not sure that this covers the "simply read into an array" case as well. Could you add a simple testcase that validates that the individual element invalidation activates in a situation like
```
int arr[10];
fread(arr, sizeof(int), 5, <FILE pointer>);
```
?
https://github.com/llvm/llvm-project/pull/93408
More information about the cfe-commits
mailing list