[clang] [StaticAnalyzer] Handle `__builtin_bit_cast` (PR #139188)

Donát Nagy via cfe-commits Fri, 09 May 2025 17:36:22 -0700

================
@@ -285,15 +285,43 @@ void ExprEngine::VisitCast(const CastExpr *CastE, const 
Expr *Ex,
   ExplodedNodeSet dstPreStmt;
   getCheckerManager().runCheckersForPreStmt(dstPreStmt, Pred, CastE, *this);
 
-  if (CastE->getCastKind() == CK_LValueToRValue ||
-      CastE->getCastKind() == CK_LValueToRValueBitCast) {
+  if (CastE->getCastKind() == CK_LValueToRValue) {
     for (ExplodedNode *subExprNode : dstPreStmt) {
       ProgramStateRef state = subExprNode->getState();
       const LocationContext *LCtx = subExprNode->getLocationContext();
       evalLoad(Dst, CastE, CastE, subExprNode, state, state->getSVal(Ex, 
LCtx));
     }
     return;
   }
+  if (CastE->getCastKind() == CK_LValueToRValueBitCast) {
+    // Handle `__builtin_bit_cast`:
+    ExplodedNodeSet dstEvalLoad;
+
+    // Simulate the lvalue-to-rvalue conversion on `Ex`:
+    for (ExplodedNode *subExprNode : dstPreStmt) {
+      ProgramStateRef state = subExprNode->getState();
+      const LocationContext *LCtx = subExprNode->getLocationContext();
+      evalLocation(dstEvalLoad, CastE, Ex, subExprNode, state,
+                   state->getSVal(Ex, LCtx), true);
+    }
+    // Simulate the operation that actually casts the original value to a new
+    // value of the destination type :
+    StmtNodeBuilder Bldr(dstEvalLoad, Dst, *currBldrCtx);
+
+    for (ExplodedNode *Node : dstEvalLoad) {
+      ProgramStateRef state = Node->getState();
+      const LocationContext *LCtx = Node->getLocationContext();
+      // getAsRegion should always be successful since Ex is an lvalue:
----------------
NagyDonat wrote:


The `getAsRegion` call would fail on a `loc::ConcreteInt`, which could be a 
valid lvalue in some low-level environments, so perhaps add a test which checks 
that we do not crash on `__builtin_bit_cast(unsigned, 
*(static_cast<int*>(0xdeadbeef)))`. (However, this is mostly paranoia: I don't 
expect a crash, because I'd guess that the analyzer "gives up" this unusual 
case in some earlier step.)


https://github.com/llvm/llvm-project/pull/139188
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [StaticAnalyzer] Handle `__builtin_bit_cast` (PR #139188)

Reply via email to