[analyzer] Re-enable reasoning about CK_LValueBitCast

It’s important for us to reason about the cast as it is used in std::addressof. The reason we did not
handle the cast previously was a crash on a test case (see commit r157478). The crash was in
processing array to pointer decay when the region type was not an array. Address the issue, by
just returning an unknown in that case.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@182808 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/lib/StaticAnalyzer/Core/ExprEngineC.cpp b/lib/StaticAnalyzer/Core/ExprEngineC.cpp
index 67aeab60033f95ce31282863caf34582a89241db..8487267592818eb8cecc768192111b266370d834 100644 (file)
--- a/lib/StaticAnalyzer/Core/ExprEngineC.cpp
+++ b/lib/StaticAnalyzer/Core/ExprEngineC.cpp
@@ -309,7 +309,8 @@ void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex,
       case CK_BlockPointerToObjCPointerCast:
       case CK_AnyPointerToBlockPointerCast:  
       case CK_ObjCObjectLValueCast: 
-      case CK_ZeroToOCLEvent: {
+      case CK_ZeroToOCLEvent:
+      case CK_LValueBitCast: {
         // Delegate to SValBuilder to process.
         SVal V = state->getSVal(Ex, LCtx);
         V = svalBuilder.evalCast(V, T, ExTy);
@@ -381,8 +382,7 @@ void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex,
       case CK_BaseToDerivedMemberPointer:
       case CK_DerivedToBaseMemberPointer:
       case CK_ReinterpretMemberPointer:
-      case CK_VectorSplat:
-      case CK_LValueBitCast: {
+      case CK_VectorSplat: {
         // Recover some path-sensitivty by conjuring a new value.
         QualType resultType = CastE->getType();
         if (CastE->isGLValue())

diff --git a/lib/StaticAnalyzer/Core/RegionStore.cpp b/lib/StaticAnalyzer/Core/RegionStore.cpp
index 88c4eee4bb2bcef0ff0db4b0e386b9fb3136669c..729fc009fe804199fb44945a05b599c19a2ebec1 100644 (file)
--- a/lib/StaticAnalyzer/Core/RegionStore.cpp
+++ b/lib/StaticAnalyzer/Core/RegionStore.cpp
@@ -1262,7 +1262,10 @@ SVal RegionStoreManager::ArrayToPointer(Loc Array) {
 
   // Strip off typedefs from the ArrayRegion's ValueType.
   QualType T = ArrayR->getValueType().getDesugaredType(Ctx);
-  const ArrayType *AT = cast<ArrayType>(T);
+  const ArrayType *AT = dyn_cast<ArrayType>(T);
+  if (!AT)
+    return UnknownVal();
+
   T = AT->getElementType();
 
   NonLoc ZeroIdx = svalBuilder.makeZeroArrayIndex();

diff --git a/test/Analysis/reinterpret-cast.cpp b/test/Analysis/reinterpret-cast.cpp
index 59e6a539a11f4673f57c7d43583f2414720b0e9b..cb7cbfd325d80b3911075cc41172343670841ffc 100644 (file)
--- a/test/Analysis/reinterpret-cast.cpp
+++ b/test/Analysis/reinterpret-cast.cpp
@@ -86,3 +86,20 @@ namespace PR15345 {
     clang_analyzer_eval(p->x == 42); // expected-warning{{TRUE}}
   };
 }
+
+int trackpointer_std_addressof() {
+  int x;
+  int *p = (int*)&reinterpret_cast<const volatile char&>(x);
+  *p = 6;
+  return x; // no warning
+}
+
+void set_x1(int *&);
+void set_x2(void *&);
+int radar_13146953(void) {
+  int *x = 0, *y = 0;
+
+  set_x1(x);
+  set_x2((void *&)y);
+  return *x + *y; // no warning
+}
\ No newline at end of file