steakhal added a comment.
Finally, I made my investigations and I come up with this code:
void strcpy(char *, char *);
void test(int *a, char ***b) {
*(unsigned char **)b = (unsigned char*)a; // #1
if (**b == nullptr) // will-crash
;
}
So, this issue does not relate to CStringChecker. It will crash at
`ExprEngineC.cpp:100`.
It seems that we have to make the choice of how to model type punning.
As you can see in the example, we overwrite the pointer value of `*b` to point
to an //unsigned char// value //(#1)//.
The static type of `b` (//char***//) does not reflect the associated value's
type which (//unsigned char**//) - //(note the number of indirections!)// in
other words, an obvious type pun happened at that line.
If we get the value of `**b`, we get a //NonLoc// of type //unsigned char//.
The dump of `**b` confirms this: `reg_$4<unsigned char
Element{SymRegion{reg_$0<int * a>},0 S64b,unsigned char}>`, which is a `NonLoc`
in deed.
IMO we should fix the root cause of this in the Core.
I think we should have a symbolic cast back to the static type before doing
anything with the SVal (iff the BaseKind differs).
If we do this, we will get a Loc as expected - and neither this bug nor your
original bug would fire.
WDYT @NoQ @martong @ASDenysPetrov @Szelethus?
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D77062/new/
https://reviews.llvm.org/D77062
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
