diff options
| author | Ted Kremenek <kremenek@apple.com> | 2011-01-14 20:29:43 +0000 |
|---|---|---|
| committer | Ted Kremenek <kremenek@apple.com> | 2011-01-14 20:29:43 +0000 |
| commit | d4f482aa4d77ed2fa6dfbe60ff33599419680818 (patch) | |
| tree | 82a01bb893aa9a5e68c3dc06932188117916faed | |
| parent | 07a77b4b1d1fa95930129541eff8b79558f5d80d (diff) | |
Teach RegionStore::EnterStackFrame() to handle
the case where the called function has fewer
formal arguments than actual arguments. This
fixes a crash in the analyzer when doing
function call inlining.
Patch by Zhenbo Xu!
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@123458 91177308-0d34-0410-b5e6-96231b3b80d8
| -rw-r--r-- | lib/StaticAnalyzer/RegionStore.cpp | 11 | ||||
| -rw-r--r-- | test/Analysis/inline.c | 16 |
2 files changed, 20 insertions, 7 deletions
diff --git a/lib/StaticAnalyzer/RegionStore.cpp b/lib/StaticAnalyzer/RegionStore.cpp index 58cec30313..0dbf97caf9 100644 --- a/lib/StaticAnalyzer/RegionStore.cpp +++ b/lib/StaticAnalyzer/RegionStore.cpp @@ -1868,17 +1868,20 @@ Store RegionStoreManager::RemoveDeadBindings(Store store, Store RegionStoreManager::EnterStackFrame(const GRState *state, const StackFrameContext *frame) { FunctionDecl const *FD = cast<FunctionDecl>(frame->getDecl()); - FunctionDecl::param_const_iterator PI = FD->param_begin(); + FunctionDecl::param_const_iterator PI = FD->param_begin(), + PE = FD->param_end(); Store store = state->getStore(); if (CallExpr const *CE = dyn_cast<CallExpr>(frame->getCallSite())) { CallExpr::const_arg_iterator AI = CE->arg_begin(), AE = CE->arg_end(); - // Copy the arg expression value to the arg variables. - for (; AI != AE; ++AI, ++PI) { + // Copy the arg expression value to the arg variables. We check that + // PI != PE because the actual number of arguments may be different than + // the function declaration. + for (; AI != AE && PI != PE; ++AI, ++PI) { SVal ArgVal = state->getSVal(*AI); store = Bind(store, - svalBuilder.makeLoc(MRMgr.getVarRegion(*PI,frame)), ArgVal); + svalBuilder.makeLoc(MRMgr.getVarRegion(*PI, frame)), ArgVal); } } else if (const CXXConstructExpr *CE = dyn_cast<CXXConstructExpr>(frame->getCallSite())) { diff --git a/test/Analysis/inline.c b/test/Analysis/inline.c index 50c1a54d10..d7a599a765 100644 --- a/test/Analysis/inline.c +++ b/test/Analysis/inline.c @@ -1,14 +1,14 @@ // RUN: %clang_cc1 -analyze -analyzer-check-objc-mem -analyzer-inline-call -analyzer-store region -verify %s -int f1() { +int test1_f1() { int y = 1; y++; return y; } -void f2() { +void test1_f2() { int x = 1; - x = f1(); + x = test1_f1(); if (x == 1) { int *p = 0; *p = 3; // no-warning @@ -18,3 +18,13 @@ void f2() { *p = 3; // expected-warning{{Dereference of null pointer (loaded from variable 'p')}} } } + +// Test that inlining works when the declared function has less arguments +// than the actual number in the declaration. +void test2_f1() {} +int test2_f2(); + +void test2_f3() { + test2_f1(test2_f2()); // expected-warning{{too many arguments in call to 'test2_f1'}} +} + |