New patch attached.
And in my question I mixed input and output parameters up. The input
parameters are checked, but it looks like the output parameters are not.
See the test in the patch to the nullptr.cpp.
-- Erik.
On 1-3-12 20:35, Ted Kremenek wrote:
Interesting. We aren't actually simulating a load, which is done by
'evalLoad', which triggers the dereference checking. We could do that after
your cleanup.
On Mar 1, 2012, at 11:29 AM, Erik Verbruggen<[email protected]> wrote:
Hi Ted,
I'll Hove it a spin. Do you by chance have any idea why clang (with and without
patch) does not warn on the de-ref of the input parameter?
-- Erik.
>From 98724bffe49d548a429bc45902517667499379ac Mon Sep 17 00:00:00 2001
From: Erik Verbruggen <[email protected]>
Date: Tue, 28 Feb 2012 10:19:45 +0100
Subject: [PATCH] Remove a recursive visitiation in ExprEngine that is no
longer needed because the CFG is fully linearized.
---
.../StaticAnalyzer/Core/PathSensitive/ExprEngine.h | 10 ---
lib/StaticAnalyzer/Core/ExprEngine.cpp | 68 ++++---------------
test/Analysis/nullptr.cpp | 9 +++
3 files changed, 24 insertions(+), 63 deletions(-)
diff --git a/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
b/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
index b7c4958..6016ee1 100644
--- a/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
+++ b/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
@@ -258,16 +258,6 @@ public:
/// VisitAsmStmt - Transfer function logic for inline asm.
void VisitAsmStmt(const AsmStmt *A, ExplodedNode *Pred, ExplodedNodeSet
&Dst);
-
- void VisitAsmStmtHelperOutputs(const AsmStmt *A,
- AsmStmt::const_outputs_iterator I,
- AsmStmt::const_outputs_iterator E,
- ExplodedNode *Pred, ExplodedNodeSet &Dst);
-
- void VisitAsmStmtHelperInputs(const AsmStmt *A,
- AsmStmt::const_inputs_iterator I,
- AsmStmt::const_inputs_iterator E,
- ExplodedNode *Pred, ExplodedNodeSet &Dst);
/// VisitBlockExpr - Transfer function logic for BlockExprs.
void VisitBlockExpr(const BlockExpr *BE, ExplodedNode *Pred,
diff --git a/lib/StaticAnalyzer/Core/ExprEngine.cpp
b/lib/StaticAnalyzer/Core/ExprEngine.cpp
index 0a72f01..7528b4a 100644
--- a/lib/StaticAnalyzer/Core/ExprEngine.cpp
+++ b/lib/StaticAnalyzer/Core/ExprEngine.cpp
@@ -1642,67 +1642,29 @@ void ExprEngine::evalEagerlyAssume(ExplodedNodeSet
&Dst, ExplodedNodeSet &Src,
}
void ExprEngine::VisitAsmStmt(const AsmStmt *A, ExplodedNode *Pred,
- ExplodedNodeSet &Dst) {
- VisitAsmStmtHelperOutputs(A, A->begin_outputs(), A->end_outputs(), Pred,
Dst);
-}
-
-void ExprEngine::VisitAsmStmtHelperOutputs(const AsmStmt *A,
- AsmStmt::const_outputs_iterator I,
- AsmStmt::const_outputs_iterator E,
- ExplodedNode *Pred, ExplodedNodeSet &Dst)
{
- if (I == E) {
- VisitAsmStmtHelperInputs(A, A->begin_inputs(), A->end_inputs(), Pred, Dst);
- return;
- }
-
- ExplodedNodeSet Tmp;
- Visit(*I, Pred, Tmp);
- ++I;
-
- for (ExplodedNodeSet::iterator NI = Tmp.begin(), NE = Tmp.end();NI !=
NE;++NI)
- VisitAsmStmtHelperOutputs(A, I, E, *NI, Dst);
-}
-
-void ExprEngine::VisitAsmStmtHelperInputs(const AsmStmt *A,
- AsmStmt::const_inputs_iterator I,
- AsmStmt::const_inputs_iterator E,
- ExplodedNode *Pred,
- ExplodedNodeSet &Dst) {
- if (I == E) {
- StmtNodeBuilder Bldr(Pred, Dst, *currentBuilderContext);
- // We have processed both the inputs and the outputs. All of the outputs
- // should evaluate to Locs. Nuke all of their values.
-
- // FIXME: Some day in the future it would be nice to allow a "plug-in"
- // which interprets the inline asm and stores proper results in the
- // outputs.
-
- ProgramStateRef state = Pred->getState();
+ ExplodedNodeSet &Dst) {
+ StmtNodeBuilder Bldr(Pred, Dst, *currentBuilderContext);
+ // We have processed both the inputs and the outputs. All of the outputs
+ // should evaluate to Locs. Nuke all of their values.
- for (AsmStmt::const_outputs_iterator OI = A->begin_outputs(),
- OE = A->end_outputs(); OI != OE; ++OI) {
+ // FIXME: Some day in the future it would be nice to allow a "plug-in"
+ // which interprets the inline asm and stores proper results in the
+ // outputs.
- SVal X = state->getSVal(*OI, Pred->getLocationContext());
- assert (!isa<NonLoc>(X)); // Should be an Lval, or unknown, undef.
+ ProgramStateRef state = Pred->getState();
- if (isa<Loc>(X))
- state = state->bindLoc(cast<Loc>(X), UnknownVal());
- }
+ for (AsmStmt::const_outputs_iterator OI = A->begin_outputs(),
+ OE = A->end_outputs(); OI != OE; ++OI) {
+ SVal X = state->getSVal(*OI, Pred->getLocationContext());
+ assert (!isa<NonLoc>(X)); // Should be an Lval, or unknown, undef.
- Bldr.generateNode(A, Pred, state);
- return;
+ if (isa<Loc>(X))
+ state = state->bindLoc(cast<Loc>(X), UnknownVal());
}
- ExplodedNodeSet Tmp;
- Visit(*I, Pred, Tmp);
-
- ++I;
-
- for (ExplodedNodeSet::iterator NI = Tmp.begin(), NE = Tmp.end(); NI!=NE;
++NI)
- VisitAsmStmtHelperInputs(A, I, E, *NI, Dst);
+ Bldr.generateNode(A, Pred, state);
}
-
//===----------------------------------------------------------------------===//
// Visualization.
//===----------------------------------------------------------------------===//
diff --git a/test/Analysis/nullptr.cpp b/test/Analysis/nullptr.cpp
index 89b4173..3f2bac1 100644
--- a/test/Analysis/nullptr.cpp
+++ b/test/Analysis/nullptr.cpp
@@ -50,3 +50,12 @@ void zoo1() {
char **p = 0;
delete *(p + 0); // expected-warning{{Dereference of null pointer}}
}
+
+void zoo2() {
+ int **a = 0;
+ int **b = 0;
+ asm ("nop"
+ :"=a"(*a)
+ :"0"(*b) // expected-warning{{Dereference of null pointer}}
+ );
+}
--
1.7.5.4
_______________________________________________
cfe-commits mailing list
[email protected]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
