diff options
| -rw-r--r-- | lib/StaticAnalyzer/Core/ExprEngineC.cpp | 22 | ||||
| -rw-r--r-- | test/Analysis/logical-ops.c | 27 |
2 files changed, 47 insertions, 2 deletions
diff --git a/lib/StaticAnalyzer/Core/ExprEngineC.cpp b/lib/StaticAnalyzer/Core/ExprEngineC.cpp index 46cba81b14..3e14765875 100644 --- a/lib/StaticAnalyzer/Core/ExprEngineC.cpp +++ b/lib/StaticAnalyzer/Core/ExprEngineC.cpp @@ -531,10 +531,28 @@ void ExprEngine::VisitLogicalExpr(const BinaryOperator* B, ExplodedNode *Pred, else { // If there is no terminator, by construction the last statement // in SrcBlock is the value of the enclosing expression. + // However, we still need to constrain that value to be 0 or 1. assert(!SrcBlock->empty()); CFGStmt Elem = cast<CFGStmt>(*SrcBlock->rbegin()); - const Stmt *S = Elem.getStmt(); - X = N->getState()->getSVal(S, Pred->getLocationContext()); + const Expr *RHS = cast<Expr>(Elem.getStmt()); + SVal RHSVal = N->getState()->getSVal(RHS, Pred->getLocationContext()); + + DefinedOrUnknownSVal DefinedRHS = cast<DefinedOrUnknownSVal>(RHSVal); + ProgramStateRef StTrue, StFalse; + llvm::tie(StTrue, StFalse) = N->getState()->assume(DefinedRHS); + if (StTrue) { + if (StFalse) { + // We can't constrain the value to 0 or 1; the best we can do is a cast. + X = getSValBuilder().evalCast(RHSVal, B->getType(), RHS->getType()); + } else { + // The value is known to be true. + X = getSValBuilder().makeIntVal(1, B->getType()); + } + } else { + // The value is known to be false. + assert(StFalse && "Infeasible path!"); + X = getSValBuilder().makeIntVal(0, B->getType()); + } } Bldr.generateNode(B, Pred, state->BindExpr(B, Pred->getLocationContext(), X)); diff --git a/test/Analysis/logical-ops.c b/test/Analysis/logical-ops.c new file mode 100644 index 0000000000..a1223b39fa --- /dev/null +++ b/test/Analysis/logical-ops.c @@ -0,0 +1,27 @@ +// RUN: %clang_cc1 -analyze -analyzer-checker=core,debug.ExprInspection -verify %s + +void clang_analyzer_eval(int); + +void testAnd(int i, int *p) { + int *nullP = 0; + int *knownP = &i; + clang_analyzer_eval((knownP && knownP) == 1); // expected-warning{{TRUE}} + clang_analyzer_eval((knownP && nullP) == 0); // expected-warning{{TRUE}} + clang_analyzer_eval((knownP && p) == 1); // expected-warning{{UNKNOWN}} +} + +void testOr(int i, int *p) { + int *nullP = 0; + int *knownP = &i; + clang_analyzer_eval((nullP || knownP) == 1); // expected-warning{{TRUE}} + clang_analyzer_eval((nullP || nullP) == 0); // expected-warning{{TRUE}} + clang_analyzer_eval((nullP || p) == 1); // expected-warning{{UNKNOWN}} +} + + +// PR13461 +int testTypeIsInt(int i, void *p) { + if (i | (p && p)) + return 1; + return 0; +} |