pskrgag wrote:
This is tricky one.
So crash happens in `getElementRegion`, since we try to bind to first element
of the symbolic region with type `void`.
Why did inline asm input become symbolic? Since on input there is a Lvalue ->
Rvalue cast, CSA invokes `evalCast` and then inside
`RegionStoreManager::getBindingForVar`:
````c
// This must come after the check for constants because closure-captured
// constant variables may appear in UnknownSpaceRegion.
if (isa<UnknownSpaceRegion>(MS))
return svalBuilder.getRegionValueSymbolVal(R);
if (isa<GlobalsSpaceRegion>(MS)) {
QualType T = VD->getType();
// If we're in main(), then global initializers have not become stale yet.
if (B.isMainAnalysis())
...
return svalBuilder.getRegionValueSymbolVal(R); <-- symbolic region created
here
}
```
Not sure about the fix right now... I can only come up with dirty hack like
```diff
diff --git a/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
b/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
index ba29c1231390..d6488065843d 100644
--- a/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
+++ b/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
@@ -2380,8 +2380,14 @@ RegionStoreManager::bind(RegionBindingsConstRef B, Loc
L, SVal V) {
// Binding directly to a symbolic region should be treated as binding
// to element 0.
- if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R))
+ if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) {
+ QualType PT = SR->getPointeeStaticType();
+
+ if (PT.isVoidType())
+ PT = StateMgr.getContext().CharTy;
+
R = GetElementZeroRegion(SR, SR->getPointeeStaticType());
+ }
assert((!isa<CXXThisRegion>(R) || !B.lookup(R)) &&
"'this' pointer is not an l-value and is not assignable");
```
https://github.com/llvm/llvm-project/pull/103714
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
