This revision was automatically updated to reflect the committed changes.
Closed by commit rC328896: [analyzer] Track null or undef values through
pointer arithmetic. (authored by dergachev, committed by ).
Repository:
rC Clang
https://reviews.llvm.org/D45071
Files:
lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
test/Analysis/inlining/inline-defensive-checks.c
test/Analysis/null-deref-path-notes.c
Index: test/Analysis/inlining/inline-defensive-checks.c
===================================================================
--- test/Analysis/inlining/inline-defensive-checks.c
+++ test/Analysis/inlining/inline-defensive-checks.c
@@ -159,8 +159,7 @@
void idcTrackZeroValueThroughUnaryPointerOperatorsWithOffset2(struct S *s) {
idc(s);
int *x = &(s->f2) - 1;
- // FIXME: Should not warn.
- *x = 7; // expected-warning{{Dereference of null pointer}}
+ *x = 7; // no-warning
}
void idcTrackZeroValueThroughUnaryPointerOperatorsWithAssignment(struct S *s) {
Index: test/Analysis/null-deref-path-notes.c
===================================================================
--- test/Analysis/null-deref-path-notes.c
+++ test/Analysis/null-deref-path-notes.c
@@ -1,9 +1,52 @@
-// RUN: %clang_analyze_cc1 -w -x c -analyzer-checker=core -analyzer-output=text -verify %s
+// RUN: %clang_analyze_cc1 -w -x c -analyzer-checker=core,unix -analyzer-output=text -verify %s
// Avoid the crash when finding the expression for tracking the origins
// of the null pointer for path notes.
void pr34373() {
int *a = 0; // expected-note{{'a' initialized to a null pointer value}}
(a + 0)[0]; // expected-warning{{Array access results in a null pointer dereference}}
// expected-note@-1{{Array access results in a null pointer dereference}}
}
+
+typedef __typeof(sizeof(int)) size_t;
+void *memcpy(void *dest, const void *src, unsigned long count);
+
+void f1(char *source) {
+ char *destination = 0; // expected-note{{'destination' initialized to a null pointer value}}
+ memcpy(destination + 0, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
+ // expected-note@-1{{Null pointer argument in call to memory copy function}}
+}
+
+void f2(char *source) {
+ char *destination = 0; // expected-note{{'destination' initialized to a null pointer value}}
+ memcpy(destination - 0, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
+ // expected-note@-1{{Null pointer argument in call to memory copy function}}
+}
+
+void f3(char *source) {
+ char *destination = 0; // FIXME: There should be a note here as well.
+ destination = destination + 0; // expected-note{{Null pointer value stored to 'destination'}}
+ memcpy(destination, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
+ // expected-note@-1{{Null pointer argument in call to memory copy function}}
+}
+
+void f4(char *source) {
+ char *destination = 0; // FIXME: There should be a note here as well.
+ destination = destination - 0; // expected-note{{Null pointer value stored to 'destination'}}
+ memcpy(destination, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
+ // expected-note@-1{{Null pointer argument in call to memory copy function}}
+}
+
+void f5(char *source) {
+ char *destination1 = 0; // expected-note{{'destination1' initialized to a null pointer value}}
+ char *destination2 = destination1 + 0; // expected-note{{'destination2' initialized to a null pointer value}}
+ memcpy(destination2, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
+ // expected-note@-1{{Null pointer argument in call to memory copy function}}
+}
+
+void f6(char *source) {
+ char *destination1 = 0; // expected-note{{'destination1' initialized to a null pointer value}}
+ char *destination2 = destination1 - 0; // expected-note{{'destination2' initialized to a null pointer value}}
+ memcpy(destination2, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
+ // expected-note@-1{{Null pointer argument in call to memory copy function}}
+}
Index: lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
===================================================================
--- lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
+++ lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
@@ -75,6 +75,17 @@
return false;
}
+static const Expr *peelOffPointerArithmetic(const BinaryOperator *B) {
+ if (B->isAdditiveOp() && B->getType()->isPointerType()) {
+ if (B->getLHS()->getType()->isPointerType()) {
+ return B->getLHS();
+ } else if (B->getRHS()->getType()->isPointerType()) {
+ return B->getRHS();
+ }
+ }
+ return nullptr;
+}
+
/// Given that expression S represents a pointer that would be dereferenced,
/// try to find a sub-expression from which the pointer came from.
/// This is used for tracking down origins of a null or undefined value:
@@ -101,14 +112,8 @@
E = CE->getSubExpr();
} else if (const auto *B = dyn_cast<BinaryOperator>(E)) {
// Pointer arithmetic: '*(x + 2)' -> 'x') etc.
- if (B->getType()->isPointerType()) {
- if (B->getLHS()->getType()->isPointerType()) {
- E = B->getLHS();
- } else if (B->getRHS()->getType()->isPointerType()) {
- E = B->getRHS();
- } else {
- break;
- }
+ if (const Expr *Inner = peelOffPointerArithmetic(B)) {
+ E = Inner;
} else {
// Probably more arithmetic can be pattern-matched here,
// but for now give up.
@@ -1412,6 +1417,11 @@
NI = NI->getFirstPred();
} while (NI);
}
+
+ if (auto *BO = dyn_cast<BinaryOperator>(Ex))
+ if (const Expr *SubEx = peelOffPointerArithmetic(BO))
+ return peelOffOuterExpr(SubEx, N);
+
return Ex;
}
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
