Add checking for zero-sized VLAs.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@60726 91177308-0d34-0410-b5e6-96231b3b80d8

2 files changed, 57 insertions, 3 deletions

diff --git a/lib/Analysis/GRExprEngine.cpp b/lib/Analysis/GRExprEngine.cpp
index 8a32bfe952..fb52067573 100644
--- a/lib/Analysis/GRExprEngine.cpp
+++ b/lib/Analysis/GRExprEngine.cpp
@@ -1773,8 +1773,7 @@ void GRExprEngine::VisitDeclStmt(DeclStmt* DS, NodeTy* Pred, NodeSet& Dst) {
   if (!D || !isa<VarDecl>(D))
     return;
   
-  const VarDecl* VD = dyn_cast<VarDecl>(D);
-  
+  const VarDecl* VD = dyn_cast<VarDecl>(D);    
   Expr* InitEx = const_cast<Expr*>(VD->getInit());
 
   // FIXME: static variables may have an initializer, but the second
@@ -1812,6 +1811,33 @@ void GRExprEngine::VisitDeclStmt(DeclStmt* DS, NodeTy* Pred, NodeSet& Dst) {
     }
     else
       St = StateMgr.BindDecl(St, VD, 0, Count);
+    
+    
+    // Check if 'VD' is a VLA and if so check if has a non-zero size.
+    QualType T = getContext().getCanonicalType(VD->getType());
+    if (VariableArrayType* VLA = dyn_cast<VariableArrayType>(T)) {
+      // FIXME: Handle multi-dimensional VLAs.
+      
+      Expr* SE = VLA->getSizeExpr();
+      SVal Size = GetSVal(St, SE);
+
+      bool isFeasibleZero = false;
+      const GRState* ZeroSt =  Assume(St, Size, false, isFeasibleZero);
+            
+      bool isFeasibleNotZero = false;
+      St = Assume(St, Size, true, isFeasibleNotZero);
+      
+      if (isFeasibleZero) {
+        if (NodeTy* N = Builder->generateNode(DS, ZeroSt, Pred)) {
+          N->markAsSink();          
+          if (isFeasibleNotZero) ImplicitZeroSizedVLA.insert(N);
+          else ExplicitZeroSizedVLA.insert(N);
+        }
+      }
+      
+      if (!isFeasibleNotZero)
+        continue;      
+    }
 
     MakeNode(Dst, DS, *I, St);
   }
diff --git a/lib/Analysis/GRExprEngineInternalChecks.cpp b/lib/Analysis/GRExprEngineInternalChecks.cpp
index be7282314d..8b484ab10c 100644
--- a/lib/Analysis/GRExprEngineInternalChecks.cpp
+++ b/lib/Analysis/GRExprEngineInternalChecks.cpp
@@ -163,7 +163,7 @@ public:
                "Receiver in message expression is an uninitialized value.") {}
   
   virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
-    for (GRExprEngine::UndefReceiversTy::iterator I=Eng.undef_receivers_begin(),
+    for (GRExprEngine::ErrorNodes::iterator I=Eng.undef_receivers_begin(),
          End = Eng.undef_receivers_end(); I!=End; ++I) {
       
       // Generate a report for this bug.
@@ -331,6 +331,33 @@ public:
     Emit(BR, Eng.explicit_oob_memacc_begin(), Eng.explicit_oob_memacc_end());
   }
 };
+  
+class VISIBILITY_HIDDEN ZeroSizeVLA : public BuiltinBug {
+
+public:
+  ZeroSizeVLA() : BuiltinBug("Zero-sized VLA",  
+                             "VLAs with zero-size are undefined.") {}
+  
+  virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
+    for (GRExprEngine::ErrorNodes::iterator
+          I = Eng.ExplicitZeroSizedVLA.begin(),
+          E = Eng.ExplicitZeroSizedVLA.end(); I!=E; ++I) {
+      
+      // Generate a report for this bug.
+      PostStmt PS = cast<PostStmt>((*I)->getLocation());      
+      DeclStmt *DS = cast<DeclStmt>(PS.getStmt());
+      VarDecl* VD = cast<VarDecl>(*DS->decl_begin());
+      QualType T = Eng.getContext().getCanonicalType(VD->getType());
+      VariableArrayType* VT = cast<VariableArrayType>(T);
+      
+      RangedBugReport report(*this, *I);
+      report.addRange(VT->getSizeExpr()->getSourceRange());
+      
+      // Emit the warning.
+      BR.EmitWarning(report);
+    }
+  }
+};
 
 //===----------------------------------------------------------------------===//
 // __attribute__(nonnull) checking
@@ -403,5 +430,6 @@ void GRExprEngine::RegisterInternalChecks() {
   Register(new BadMsgExprArg());
   Register(new BadReceiver());
   Register(new OutOfBoundMemoryAccess());
+  Register(new ZeroSizeVLA());
   AddCheck(new CheckAttrNonNull(), Stmt::CallExprClass); 
 }