NoQ created this revision.
NoQ added reviewers: dcoughlin, xazax.hun, a.sidorin, george.karpenkov.
Herald added subscribers: cfe-commits, rnkovacs, szepet.
This continues the series of fine-tuning of how everything behaves in
`-analyzer-config c++-allocator-inlining=true` mode with respects to casts
(`ElementRegion`s with index 0) around the return value of `operator new()`.
Old `operator new()` was always returning `&HeapSymRegion{conj_$N{C *}}`, where
`C` is the type of the allocated object. In the new mode, if the operator is
evaluated conservatively, this value changes to `&element{T, 0 S64b,
HeapSymRegion{conj_$N{C *}}}`, which, as pointed out in
https://reviews.llvm.org/D41250#959755, is not quite intended (but not
addressed yet). However, if the operator is inlined, it is likely to become
`&element{T, 0 S64b, HeapSymRegion{conj_$N{void *}}}` (note the `void`), where
the cast is definitely intended. It means that regardless of how do we want to
treat the no-op cast in the non-inlined case, the checker does not have a right
to rely on the cast being absent.
This patch fixes the region extent modeling under `-analyzer-config
c++-allocator-inlining=true`, which is performed by `MallocChecker` and
consumed by other checkers such as `ArrayBoundChecker`. It is pointless to
model the extent of the element region, when in fact we're trying to model the
extent of the whole array. Note that behavior of the array `operator new[]`
changes slightly, even if we're not trying to model it.
Repository:
rC Clang
https://reviews.llvm.org/D41796
Files:
lib/StaticAnalyzer/Checkers/MallocChecker.cpp
test/Analysis/out-of-bounds-new.cpp
Index: test/Analysis/out-of-bounds-new.cpp
===================================================================
--- test/Analysis/out-of-bounds-new.cpp
+++ test/Analysis/out-of-bounds-new.cpp
@@ -1,4 +1,5 @@
// RUN: %clang_analyze_cc1 -std=c++11 -Wno-array-bounds
-analyzer-checker=unix,core,alpha.security.ArrayBoundV2 -verify %s
+// RUN: %clang_analyze_cc1 -std=c++11 -Wno-array-bounds
-analyzer-checker=unix,core,alpha.security.ArrayBoundV2 -analyzer-config
c++-allocator-inlining=true -verify %s
// Tests doing an out-of-bounds access after the end of an array using:
// - constant integer index
Index: lib/StaticAnalyzer/Checkers/MallocChecker.cpp
===================================================================
--- lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -1124,7 +1124,7 @@
->getAs<SubRegion>();
} else {
ElementCount = svalBuilder.makeIntVal(1, true);
- Region = Target.getAsRegion()->getAs<SubRegion>();
+ Region = cast<SubRegion>(Target.getAsRegion()->StripCasts());
}
assert(Region);
Index: test/Analysis/out-of-bounds-new.cpp
===================================================================
--- test/Analysis/out-of-bounds-new.cpp
+++ test/Analysis/out-of-bounds-new.cpp
@@ -1,4 +1,5 @@
// RUN: %clang_analyze_cc1 -std=c++11 -Wno-array-bounds -analyzer-checker=unix,core,alpha.security.ArrayBoundV2 -verify %s
+// RUN: %clang_analyze_cc1 -std=c++11 -Wno-array-bounds -analyzer-checker=unix,core,alpha.security.ArrayBoundV2 -analyzer-config c++-allocator-inlining=true -verify %s
// Tests doing an out-of-bounds access after the end of an array using:
// - constant integer index
Index: lib/StaticAnalyzer/Checkers/MallocChecker.cpp
===================================================================
--- lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -1124,7 +1124,7 @@
->getAs<SubRegion>();
} else {
ElementCount = svalBuilder.makeIntVal(1, true);
- Region = Target.getAsRegion()->getAs<SubRegion>();
+ Region = cast<SubRegion>(Target.getAsRegion()->StripCasts());
}
assert(Region);
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
