alexshap created this revision.
Herald added a subscriber: xazax.hun.
This patch attempts to fix analyzer's crash on the newly added test case (see
also https://bugs.llvm.org/show_bug.cgi?id=34374).
Pointer subtraction appears to be modeled incorrectly in the following example:
char* p;
long n = p - reinterpret_cast<char*>((unsigned long)1);
In this case the analyzer (built without this patch) tries to create a symbolic
value for the difference
treating reinterpret_cast<char*>((unsigned long)1) as an integer, that is not
correct.
Test plan: make check-all
Repository:
rL LLVM
https://reviews.llvm.org/D38214
Files:
lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
test/Analysis/ptr-arith.cpp
Index: test/Analysis/ptr-arith.cpp
===================================================================
--- test/Analysis/ptr-arith.cpp
+++ test/Analysis/ptr-arith.cpp
@@ -111,3 +111,9 @@
__UINTPTR_TYPE__ y = (__UINTPTR_TYPE__)p - 1;
return y == x;
}
+
+// Bug 34374
+bool integerAsPtrSubtractionNoCrash(char *p, __UINTPTR_TYPE__ m) {
+ auto n = p - reinterpret_cast<char*>((__UINTPTR_TYPE__)1);
+ return n == m;
+}
Index: lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
===================================================================
--- lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
+++ lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
@@ -726,9 +726,11 @@
if (Optional<loc::ConcreteInt> rInt = rhs.getAs<loc::ConcreteInt>()) {
// If one of the operands is a symbol and the other is a constant,
// build an expression for use by the constraint manager.
- if (SymbolRef lSym = lhs.getAsLocSymbol(true))
- return MakeSymIntVal(lSym, op, rInt->getValue(), resultTy);
-
+ if (SymbolRef lSym = lhs.getAsLocSymbol(true)) {
+ if (BinaryOperator::isComparisonOp(op))
+ return MakeSymIntVal(lSym, op, rInt->getValue(), resultTy);
+ return UnknownVal();
+ }
// Special case comparisons to NULL.
// This must come after the test if the LHS is a symbol, which is used to
// build constraints. The address of any non-symbolic region is
guaranteed
Index: test/Analysis/ptr-arith.cpp
===================================================================
--- test/Analysis/ptr-arith.cpp
+++ test/Analysis/ptr-arith.cpp
@@ -111,3 +111,9 @@
__UINTPTR_TYPE__ y = (__UINTPTR_TYPE__)p - 1;
return y == x;
}
+
+// Bug 34374
+bool integerAsPtrSubtractionNoCrash(char *p, __UINTPTR_TYPE__ m) {
+ auto n = p - reinterpret_cast<char*>((__UINTPTR_TYPE__)1);
+ return n == m;
+}
Index: lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
===================================================================
--- lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
+++ lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
@@ -726,9 +726,11 @@
if (Optional<loc::ConcreteInt> rInt = rhs.getAs<loc::ConcreteInt>()) {
// If one of the operands is a symbol and the other is a constant,
// build an expression for use by the constraint manager.
- if (SymbolRef lSym = lhs.getAsLocSymbol(true))
- return MakeSymIntVal(lSym, op, rInt->getValue(), resultTy);
-
+ if (SymbolRef lSym = lhs.getAsLocSymbol(true)) {
+ if (BinaryOperator::isComparisonOp(op))
+ return MakeSymIntVal(lSym, op, rInt->getValue(), resultTy);
+ return UnknownVal();
+ }
// Special case comparisons to NULL.
// This must come after the test if the LHS is a symbol, which is used to
// build constraints. The address of any non-symbolic region is guaranteed
_______________________________________________
cfe-commits mailing list
[email protected]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
