Fix another false positive in RegionStore involving doing loads from symbolic offsets...

author Ted Kremenek <kremenek@apple.com>

Tue, 3 Apr 2012 00:03:34 +0000 (00:03 +0000)

committer Ted Kremenek <kremenek@apple.com>

Tue, 3 Apr 2012 00:03:34 +0000 (00:03 +0000)
author Ted Kremenek <kremenek@apple.com>
Tue, 3 Apr 2012 00:03:34 +0000 (00:03 +0000)
committer Ted Kremenek <kremenek@apple.com>
Tue, 3 Apr 2012 00:03:34 +0000 (00:03 +0000)
diff --git a/lib/StaticAnalyzer/Core/RegionStore.cpp b/lib/StaticAnalyzer/Core/RegionStore.cpp

index 4cafddc08ab0f42d3ccb70e33f748ac054f82bc9..1619e6bc6468c5a53cd0091e93d5725934f413e9 100644 (file)
--- a/lib/StaticAnalyzer/Core/RegionStore.cpp
+++ b/lib/StaticAnalyzer/Core/RegionStore.cpp
@@ -1194,14 +1194,23 @@ SVal RegionStoreManager::getBindingForFieldOrElementCommon(Store store,
  
    // At this point we have already checked in either getBindingForElement or
    // getBindingForField if 'R' has a direct binding.
-
    RegionBindings B = GetRegionBindings(store);
+  
+  // Record whether or not we see a symbolic index.  That can completely
+  // be out of scope of our lookup.
+  bool hasSymbolicIndex = false;
  
    while (superR) {
      if (const Optional<SVal> &D =
          getBindingForDerivedDefaultValue(B, superR, R, Ty))
        return *D;
  
+    if (const ElementRegion *ER = dyn_cast<ElementRegion>(superR)) {
+      NonLoc index = ER->getIndex();
+      if (!index.isConstant())
+        hasSymbolicIndex = true;
+    }
+    
      // If our super region is a field or element itself, walk up the region
      // hierarchy to see if there is a default value installed in an ancestor.
      if (const SubRegion *SR = dyn_cast<SubRegion>(superR)) {
@@ -1220,7 +1229,7 @@ SVal RegionStoreManager::getBindingForFieldOrElementCommon(Store store,
      return getLazyBinding(lazyBindingRegion, lazyBindingStore);
  
    if (R->hasStackNonParametersStorage()) {
-    if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
+    if (isa<ElementRegion>(R)) {
        // Currently we don't reason specially about Clang-style vectors.  Check
        // if superR is a vector and if so return Unknown.
        if (const TypedValueRegion *typedSuperR = 
@@ -1228,13 +1237,15 @@ SVal RegionStoreManager::getBindingForFieldOrElementCommon(Store store,
          if (typedSuperR->getValueType()->isVectorType())
            return UnknownVal();
        }
-      
-      // FIXME: We also need to take ElementRegions with symbolic indexes into
-      // account.
-      if (!ER->getIndex().isConstant())
-        return UnknownVal();
      }
  
+    // FIXME: We also need to take ElementRegions with symbolic indexes into
+    // account.  This case handles both directly accessing an ElementRegion
+    // with a symbolic offset, but also fields within an element with
+    // a symbolic offset.
+    if (hasSymbolicIndex)
+      return UnknownVal();
+    
      return UndefinedVal();
    }
  
diff --git a/test/Analysis/misc-ps-region-store.m b/test/Analysis/misc-ps-region-store.m

index 7268c909be855f560745b735925d8d05817a004b..1c5b0b29ddd66d301040fb6afef90af334a6a303 100644 (file)
--- a/test/Analysis/misc-ps-region-store.m
+++ b/test/Analysis/misc-ps-region-store.m
@@ -1325,3 +1325,19 @@ void rdar9444714() {
    *dst = '\0';
  }
  
+// Test handling symbolic elements with field accesses.
+// <rdar://problem/11127008>
+typedef struct {
+    unsigned value;
+} RDar11127008;
+
+signed rdar_11127008_index();
+
+static unsigned rdar_11127008(void) {
+    RDar11127008 values[] = {{.value = 0}, {.value = 1}};
+    signed index = rdar_11127008_index();
+    if (index < 0) return 0;
+    if (index >= 2) return 0;
+    return values[index].value;
+}
+
author	Ted Kremenek <kremenek@apple.com>
	Tue, 3 Apr 2012 00:03:34 +0000 (00:03 +0000)
committer	Ted Kremenek <kremenek@apple.com>
	Tue, 3 Apr 2012 00:03:34 +0000 (00:03 +0000)
lib/StaticAnalyzer/Core/RegionStore.cpp		patch \| blob \| history
test/Analysis/misc-ps-region-store.m		patch \| blob \| history