diff options
| author | Jordan Rose <jordan_rose@apple.com> | 2012-07-31 16:34:07 +0000 |
|---|---|---|
| committer | Jordan Rose <jordan_rose@apple.com> | 2012-07-31 16:34:07 +0000 |
| commit | 6b4be2ef4ce49717ff972434975ce3c34c9a1c4c (patch) | |
| tree | 589ee667672a92b975667d85c83bf5ede05f707a | |
| parent | d48ab06b178e400ac31ef4fe649e9c33d2caf651 (diff) | |
[analyzer] Getting an lvalue for a reference field still requires a load.
This was causing a crash in our array-to-pointer logic, since the region
was clearly not an array.
PR13440 / <rdar://problem/11977113>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161051 91177308-0d34-0410-b5e6-96231b3b80d8
| -rw-r--r-- | lib/StaticAnalyzer/Core/ExprEngine.cpp | 11 | ||||
| -rw-r--r-- | test/Analysis/reference.cpp | 37 |
2 files changed, 45 insertions, 3 deletions
diff --git a/lib/StaticAnalyzer/Core/ExprEngine.cpp b/lib/StaticAnalyzer/Core/ExprEngine.cpp index a1cd23dc6b..b46dc49a1b 100644 --- a/lib/StaticAnalyzer/Core/ExprEngine.cpp +++ b/lib/StaticAnalyzer/Core/ExprEngine.cpp @@ -1522,10 +1522,17 @@ void ExprEngine::VisitMemberExpr(const MemberExpr *M, ExplodedNode *Pred, // For all other cases, compute an lvalue. SVal L = state->getLValue(field, baseExprVal); - if (M->isGLValue()) + if (M->isGLValue()) { + if (field->getType()->isReferenceType()) { + if (const MemRegion *R = L.getAsRegion()) + L = state->getSVal(R); + else + L = UnknownVal(); + } + Bldr.generateNode(M, Pred, state->BindExpr(M, LCtx, L), false, 0, ProgramPoint::PostLValueKind); - else { + } else { Bldr.takeNodes(Pred); evalLoad(Dst, M, M, Pred, state, L); Bldr.addNodes(Dst); diff --git a/test/Analysis/reference.cpp b/test/Analysis/reference.cpp index e80952b822..a12e0bd41c 100644 --- a/test/Analysis/reference.cpp +++ b/test/Analysis/reference.cpp @@ -1,4 +1,6 @@ -// RUN: %clang_cc1 -analyze -analyzer-checker=core,experimental.core -analyzer-store=region -analyzer-constraints=range -verify -Wno-null-dereference %s +// RUN: %clang_cc1 -analyze -analyzer-checker=core,experimental.core,debug.ExprInspection -analyzer-store=region -analyzer-constraints=range -verify -Wno-null-dereference %s + +void clang_analyzer_eval(bool); typedef typeof(sizeof(int)) size_t; void malloc (size_t); @@ -55,3 +57,36 @@ char t6 (char* p) { if (*p) return *p; return *(char*)0; // no-warning } + + +// PR13440 / <rdar://problem/11977113> +// Test that the array-to-pointer decay works for array references as well. +// More generally, when we want an lvalue for a reference field, we still need +// to do one level of load. +namespace PR13440 { + typedef int T[1]; + struct S { + T &x; + + int *m() { return x; } + }; + + struct S2 { + int (&x)[1]; + + int *m() { return x; } + }; + + void test() { + int a[1]; + S s = { a }; + S2 s2 = { a }; + + if (s.x != a) return; + if (s2.x != a) return; + + a[0] = 42; + clang_analyzer_eval(s.x[0] == 42); // expected-warning{{TRUE}} + clang_analyzer_eval(s2.x[0] == 42); // expected-warning{{TRUE}} + } +} |