[PATCH] D26442: [analyzer] Fix crash on getSVal: handle case of CompoundVal

Wed, 09 Nov 2016 06:02:02 -0800 

ilya-palachev created this revision.
ilya-palachev added reviewers: dcoughlin, zaks.anna, NoQ.
ilya-palachev added subscribers: cfe-commits, a.sidorin.
ilya-palachev set the repository for this revision to rL LLVM.

If the pointer to the uninitialized union is casted to the structure of another 
type, this may lead to the crash in the RegionStore. This patch tries to handle 
this bug.


Repository:
  rL LLVM

https://reviews.llvm.org/D26442

Files:
  lib/StaticAnalyzer/Core/RegionStore.cpp
  test/Analysis/uninit-vals-union.c


Index: test/Analysis/uninit-vals-union.c
===================================================================
--- /dev/null
+++ test/Analysis/uninit-vals-union.c
@@ -0,0 +1,13 @@
+// RUN: %clang_cc1 -analyze -analyzer-checker=core.builtin 
-analyzer-store=region -verify -Wno-unused %s
+
+typedef union {
+  int y;
+} U;
+
+typedef struct { int x; } A;
+
+void foo() {
+  U u = {};
+  A *a = &u; // expected-warning{{incompatible pointer types}}
+  a->x;      // no-crash
+}
Index: lib/StaticAnalyzer/Core/RegionStore.cpp
===================================================================
--- lib/StaticAnalyzer/Core/RegionStore.cpp
+++ lib/StaticAnalyzer/Core/RegionStore.cpp
@@ -1674,7 +1674,8 @@
 
     // Lazy bindings are usually handled through getExistingLazyBinding().
     // We should unify these two code paths at some point.
-    if (val.getAs<nonloc::LazyCompoundVal>())
+    if (val.getAs<nonloc::LazyCompoundVal>() ||
+        val.getAs<nonloc::CompoundVal>())
       return val;
 
     llvm_unreachable("Unknown default value");



Index: test/Analysis/uninit-vals-union.c
===================================================================
--- /dev/null
+++ test/Analysis/uninit-vals-union.c
@@ -0,0 +1,13 @@
+// RUN: %clang_cc1 -analyze -analyzer-checker=core.builtin -analyzer-store=region -verify -Wno-unused %s
+
+typedef union {
+  int y;
+} U;
+
+typedef struct { int x; } A;
+
+void foo() {
+  U u = {};
+  A *a = &u; // expected-warning{{incompatible pointer types}}
+  a->x;      // no-crash
+}
Index: lib/StaticAnalyzer/Core/RegionStore.cpp
===================================================================
--- lib/StaticAnalyzer/Core/RegionStore.cpp
+++ lib/StaticAnalyzer/Core/RegionStore.cpp
@@ -1674,7 +1674,8 @@
 
     // Lazy bindings are usually handled through getExistingLazyBinding().
     // We should unify these two code paths at some point.
-    if (val.getAs<nonloc::LazyCompoundVal>())
+    if (val.getAs<nonloc::LazyCompoundVal>() ||
+        val.getAs<nonloc::CompoundVal>())
       return val;
 
     llvm_unreachable("Unknown default value");

_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to