diff options
| -rw-r--r-- | lib/StaticAnalyzer/Core/ExprEngine.cpp | 26 | ||||
| -rw-r--r-- | test/Analysis/fields.c | 7 | ||||
| -rw-r--r-- | test/Analysis/nullptr.cpp | 9 |
3 files changed, 13 insertions, 29 deletions
diff --git a/lib/StaticAnalyzer/Core/ExprEngine.cpp b/lib/StaticAnalyzer/Core/ExprEngine.cpp index 0e48864645..007bcf5208 100644 --- a/lib/StaticAnalyzer/Core/ExprEngine.cpp +++ b/lib/StaticAnalyzer/Core/ExprEngine.cpp @@ -1515,30 +1515,22 @@ void ExprEngine::VisitMemberExpr(const MemberExpr *M, ExplodedNode *Pred, return; } + // FIXME: Should we insert some assumption logic in here to determine + // if "Base" is a valid piece of memory? Before we put this assumption + // later when using FieldOffset lvals (which we no longer have). + // For all other cases, compute an lvalue. SVal L = state->getLValue(field, baseExprVal); if (M->isGLValue()) { - ExplodedNodeSet Tmp; - Bldr.takeNodes(Pred); - evalLocation(Tmp, M, M, Pred, state, baseExprVal, - /*Tag=*/0, /*isLoad=*/true); - Bldr.addNodes(Tmp); - - const MemRegion *ReferenceRegion = 0; if (field->getType()->isReferenceType()) { - ReferenceRegion = L.getAsRegion(); - if (!ReferenceRegion) + if (const MemRegion *R = L.getAsRegion()) + L = state->getSVal(R); + else L = UnknownVal(); } - for (ExplodedNodeSet::iterator I = Tmp.begin(), E = Tmp.end(); I != E; ++I){ - state = (*I)->getState(); - if (ReferenceRegion) - L = state->getSVal(ReferenceRegion); - - Bldr.generateNode(M, (*I), state->BindExpr(M, LCtx, L), 0, - ProgramPoint::PostLValueKind); - } + Bldr.generateNode(M, Pred, state->BindExpr(M, LCtx, L), 0, + ProgramPoint::PostLValueKind); } else { Bldr.takeNodes(Pred); evalLoad(Dst, M, M, Pred, state, L); diff --git a/test/Analysis/fields.c b/test/Analysis/fields.c index a10d5a8060..da0847a560 100644 --- a/test/Analysis/fields.c +++ b/test/Analysis/fields.c @@ -26,10 +26,3 @@ void test() { Point p; (void)(p = getit()).x; } - - -void testNullAddress() { - Point *p = 0; - int *px = &p->x; // expected-warning{{Access to field 'x' results in a dereference of a null pointer (loaded from variable 'p')}} - *px = 1; // No warning because analysis stops at the previous line. -} diff --git a/test/Analysis/nullptr.cpp b/test/Analysis/nullptr.cpp index 80ef5fbf6d..050c3f8dc5 100644 --- a/test/Analysis/nullptr.cpp +++ b/test/Analysis/nullptr.cpp @@ -23,11 +23,10 @@ void foo3(void) { }; char *np = nullptr; // casting a nullptr to anything should be caught eventually - int *ip = &(((struct foo *)np)->f); // expected-warning{{Access to field 'f' results in a dereference of a null pointer (loaded from variable 'np')}} - - // Analysis stops at the first problem case, so we won't actually warn here. - *ip = 0; - *np = 0; + int *ip = &(((struct foo *)np)->f); + *ip = 0; // expected-warning{{Dereference of null pointer}} + // should be error here too, but analysis gets stopped +// *np = 0; } // nullptr is implemented as a zero integer value, so should be able to compare |