aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitor.h2
-rw-r--r--lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp2
-rw-r--r--lib/StaticAnalyzer/Core/BugReporterVisitors.cpp9
-rw-r--r--test/Analysis/diagnostics/deref-track-symbolic-region.cpp16
4 files changed, 27 insertions, 2 deletions
diff --git a/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitor.h b/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitor.h
index f3206964e3..fe64f93d0d 100644
--- a/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitor.h
+++ b/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitor.h
@@ -256,6 +256,8 @@ void trackNullOrUndefValue(const ExplodedNode *N, const Stmt *S, BugReport &R);
const Stmt *GetDerefExpr(const ExplodedNode *N);
const Stmt *GetDenomExpr(const ExplodedNode *N);
const Stmt *GetRetValExpr(const ExplodedNode *N);
+bool isDeclRefExprToReference(const Expr *E);
+
} // end namespace clang
} // end namespace ento
diff --git a/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp b/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp
index 45f40368ea..45d854b008 100644
--- a/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp
+++ b/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp
@@ -130,7 +130,7 @@ void DereferenceChecker::reportBug(ProgramStateRef State, const Stmt *S,
}
case Stmt::MemberExprClass: {
const MemberExpr *M = cast<MemberExpr>(S);
- if (M->isArrow()) {
+ if (M->isArrow() || bugreporter::isDeclRefExprToReference(M->getBase())) {
llvm::raw_svector_ostream os(buf);
os << "Access to field '" << M->getMemberNameInfo()
<< "' results in a dereference of a null pointer";
diff --git a/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp b/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
index be90de1f34..d5fe1e0a45 100644
--- a/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
+++ b/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
@@ -31,6 +31,13 @@ using namespace ento;
// Utility functions.
//===----------------------------------------------------------------------===//
+bool bugreporter::isDeclRefExprToReference(const Expr *E) {
+ if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) {
+ return DRE->getDecl()->getType()->isReferenceType();
+ }
+ return false;
+}
+
const Stmt *bugreporter::GetDerefExpr(const ExplodedNode *N) {
// Pattern match for a few useful cases (do something smarter later):
// a[0], p->f, *p
@@ -54,7 +61,7 @@ const Stmt *bugreporter::GetDerefExpr(const ExplodedNode *N) {
return U->getSubExpr()->IgnoreParenCasts();
}
else if (const MemberExpr *ME = dyn_cast<MemberExpr>(S)) {
- if (ME->isArrow()) {
+ if (ME->isArrow() || isDeclRefExprToReference(ME->getBase())) {
return ME->getBase()->IgnoreParenCasts();
}
}
diff --git a/test/Analysis/diagnostics/deref-track-symbolic-region.cpp b/test/Analysis/diagnostics/deref-track-symbolic-region.cpp
new file mode 100644
index 0000000000..87313de13a
--- /dev/null
+++ b/test/Analysis/diagnostics/deref-track-symbolic-region.cpp
@@ -0,0 +1,16 @@
+// RUN: %clang_cc1 -analyze -analyzer-checker=core -analyzer-output=text -verify %s
+
+struct S {
+ int *x;
+ int y;
+};
+
+S &getSomeReference();
+void test(S *p) {
+ S &r = *p; //expected-note {{Variable 'r' initialized here}}
+ if (p) return;
+ //expected-note@-1{{Taking false branch}}
+ //expected-note@-2{{Assuming pointer value is null}}
+ r.y = 5; // expected-warning {{Access to field 'y' results in a dereference of a null pointer (loaded from variable 'r')}}
+ // expected-note@-1{{Access to field 'y' results in a dereference of a null pointer (loaded from variable 'r')}}
+}
generated by cgit v1.2.3-18-g5258 (git 2.32.0) at 2025-06-28 07:23:14 +0000