diff options
| author | Ted Kremenek <kremenek@apple.com> | 2009-07-11 04:38:49 +0000 |
|---|---|---|
| committer | Ted Kremenek <kremenek@apple.com> | 2009-07-11 04:38:49 +0000 |
| commit | 43d74a5a8e1b6880e6c9813930ce59ab6cadfbf1 (patch) | |
| tree | 2058824fe60da51709b4d7bd1ac8b2177e8b0204 | |
| parent | e07c57947599aa30e96b64626f96ce6c059783c4 (diff) | |
Handle insidious corner case exposed by RegionStoreManager when handling void* values that are bound
to symbolic regions and then treated like integers.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@75356 91177308-0d34-0410-b5e6-96231b3b80d8
| -rw-r--r-- | lib/Analysis/GRExprEngine.cpp | 13 | ||||
| -rw-r--r-- | test/Analysis/misc-ps.m | 21 |
2 files changed, 34 insertions, 0 deletions
diff --git a/lib/Analysis/GRExprEngine.cpp b/lib/Analysis/GRExprEngine.cpp index d9117f5930..6bc70d5925 100644 --- a/lib/Analysis/GRExprEngine.cpp +++ b/lib/Analysis/GRExprEngine.cpp @@ -1110,6 +1110,19 @@ void GRExprEngine::EvalLoad(NodeSet& Dst, Expr* Ex, NodeTy* Pred, } else { SVal V = state->getSVal(cast<Loc>(location), Ex->getType()); + + // Casts can create weird scenarios where a location must be implicitly + // converted to something else. For example: + // + // void *x; + // int *y = (int*) &x; // void** -> int* cast. + // invalidate(y); // 'x' now binds to a symbolic region + // int z = *y; + // + if (isa<Loc>(V) && !Loc::IsLocType(Ex->getType())) { + V = EvalCast(V, Ex->getType()); + } + MakeNode(Dst, Ex, Pred, state->bindExpr(Ex, V), K, tag); } } diff --git a/test/Analysis/misc-ps.m b/test/Analysis/misc-ps.m index 581a0543f4..46e8d3703f 100644 --- a/test/Analysis/misc-ps.m +++ b/test/Analysis/misc-ps.m @@ -350,3 +350,24 @@ void testA() { return; } +// RegionStoreManager previously crashed on this example. The problem is that +// the value bound to the field of b->grue after the call to testB_aux is +// a symbolic region. The second '*__gruep__' involves performing a load +// from a 'int*' that really is a 'void**'. The loaded location must be +// implicitly converted to an integer that wraps a location. Previosly we would +// get a crash here due to an assertion failure. +typedef struct _BStruct { void *grue; } BStruct; +void testB_aux(void *ptr); +void testB(BStruct *b) { + { + int *__gruep__ = ((int *)&((b)->grue)); + int __gruev__ = *__gruep__; + testB_aux(__gruep__); + } + { + int *__gruep__ = ((int *)&((b)->grue)); + int __gruev__ = *__gruep__; + if (~0 != __gruev__) {} + } +} + |