================
@@ -937,8 +990,21 @@ void StreamChecker::evalFreadFwrite(const FnDescription
*Desc,
// At read, invalidate the buffer in any case of error or success,
// except if EOF was already present.
- if (IsFread && !E.isStreamEof())
- State = escapeArgs(State, C, Call, {0});
+ if (IsFread && !E.isStreamEof()) {
+ // Try to invalidate the individual elements.
+ if (const auto *BufferFirstElem =
+ dyn_cast_or_null<ElementRegion>(Call.getArgSVal(0).getAsRegion()))
{
----------------
NagyDonat wrote:
Why do we see an `ElementRegion` in the case when we're `fread`ing into the
beginning of an array variable?
I see that the element region layer should be there if we did pointer
arithmetic or if this is a symbolic region converted to a type; but not sure
that this covers the "simply read into an array" case as well. Could you add a
simple testcase that validates that the individual element invalidation
activates in a situation like
```
int arr[10];
fread(arr, sizeof(int), 5, <FILE pointer>);
```
?
https://github.com/llvm/llvm-project/pull/93408
_______________________________________________
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
