diff options
| author | Jordan Rose <jordan_rose@apple.com> | 2012-09-01 17:39:09 +0000 |
|---|---|---|
| committer | Jordan Rose <jordan_rose@apple.com> | 2012-09-01 17:39:09 +0000 |
| commit | 02df4f0aef142f00d4637cd851e54da2a123ca8e (patch) | |
| tree | a7e564ed0f2f841da34570bc09c3362bdd7a0399 /lib/StaticAnalyzer/Core/RegionStore.cpp | |
| parent | 5699f62df144545702b91e91836a63db4e5f2627 (diff) | |
[analyzer] Treat all struct values as regions (even rvalues).
This allows us to correctly symbolicate the fields of structs returned by
value, as well as get the proper 'this' value for when methods are called
on structs returned by value.
This does require a moderately ugly hack in the StoreManager: if we assign
a "struct value" to a struct region, that now appears as a Loc value being
bound to a region of struct type. We handle this by simply "dereferencing"
the struct value region, which should create a LazyCompoundVal.
This should fix recent crashes analyzing LLVM and on our internal buildbot.
<rdar://problem/12137950>
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163066 91177308-0d34-0410-b5e6-96231b3b80d8
Diffstat (limited to 'lib/StaticAnalyzer/Core/RegionStore.cpp')
| -rw-r--r-- | lib/StaticAnalyzer/Core/RegionStore.cpp | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/lib/StaticAnalyzer/Core/RegionStore.cpp b/lib/StaticAnalyzer/Core/RegionStore.cpp index b3cf208000..96342260a0 100644 --- a/lib/StaticAnalyzer/Core/RegionStore.cpp +++ b/lib/StaticAnalyzer/Core/RegionStore.cpp @@ -1744,6 +1744,26 @@ StoreRef RegionStoreManager::BindStruct(Store store, const TypedValueRegion* R, if (!RD->isCompleteDefinition()) return StoreRef(store, *this); + // Handle Loc values by automatically dereferencing the location. + // This is necessary because we treat all struct values as regions even if + // they are rvalues; we may then be asked to bind one of these + // "rvalue regions" to an actual struct region. + // (This is necessary for many of the test cases in array-struct-region.cpp.) + // + // This also handles the case of a struct argument passed by value to an + // inlined function. In this case, the C++ standard says that the value + // is copy-constructed into the parameter variable. However, the copy- + // constructor is processed before we actually know if we're going to inline + // the function, and thus we don't actually have the parameter's region + // available. Instead, we use a temporary-object region, then copy the + // bindings over by value. + // + // FIXME: This will be a problem when we handle the destructors of + // temporaries; the inlined function will modify the parameter region, + // but the destructor will act on the temporary region. + if (const loc::MemRegionVal *MRV = dyn_cast<loc::MemRegionVal>(&V)) + V = getBinding(store, *MRV); + // Handle lazy compound values and symbolic values. if (isa<nonloc::LazyCompoundVal>(V) || isa<nonloc::SymbolVal>(V)) return BindAggregate(store, R, V); |