Correctly propagate uninitialized values within logical expressions.

author Ted Kremenek <kremenek@apple.com>

Fri, 11 Jan 2013 22:35:39 +0000 (22:35 +0000)

committer Ted Kremenek <kremenek@apple.com>

Fri, 11 Jan 2013 22:35:39 +0000 (22:35 +0000)
author Ted Kremenek <kremenek@apple.com>
Fri, 11 Jan 2013 22:35:39 +0000 (22:35 +0000)
committer Ted Kremenek <kremenek@apple.com>
Fri, 11 Jan 2013 22:35:39 +0000 (22:35 +0000)
diff --git a/lib/StaticAnalyzer/Core/ExprEngineC.cpp b/lib/StaticAnalyzer/Core/ExprEngineC.cpp

index 3444557553a2b7df070e304f88ce0db224ff682d..1253f8888c76345cd922b6a710dce8416c3c08a6 100644 (file)
--- a/lib/StaticAnalyzer/Core/ExprEngineC.cpp
+++ b/lib/StaticAnalyzer/Core/ExprEngineC.cpp
@@ -537,24 +537,28 @@ void ExprEngine::VisitLogicalExpr(const BinaryOperator* B, ExplodedNode *Pred,
      const Expr *RHS = cast<Expr>(Elem.getStmt());
      SVal RHSVal = N->getState()->getSVal(RHS, Pred->getLocationContext());
  
-    DefinedOrUnknownSVal DefinedRHS = cast<DefinedOrUnknownSVal>(RHSVal);
-    ProgramStateRef StTrue, StFalse;
-    llvm::tie(StTrue, StFalse) = N->getState()->assume(DefinedRHS);
-    if (StTrue) {
-      if (StFalse) {
-        // We can't constrain the value to 0 or 1; the best we can do is a cast.
-        X = getSValBuilder().evalCast(RHSVal, B->getType(), RHS->getType());
+    if (RHSVal.isUndef()) {
+      X = RHSVal;
+    } else {
+      DefinedOrUnknownSVal DefinedRHS = cast<DefinedOrUnknownSVal>(RHSVal);
+      ProgramStateRef StTrue, StFalse;
+      llvm::tie(StTrue, StFalse) = N->getState()->assume(DefinedRHS);
+      if (StTrue) {
+        if (StFalse) {
+          // We can't constrain the value to 0 or 1.
+          // The best we can do is a cast.
+          X = getSValBuilder().evalCast(RHSVal, B->getType(), RHS->getType());
+        } else {
+          // The value is known to be true.
+          X = getSValBuilder().makeIntVal(1, B->getType());
+        }
        } else {
-        // The value is known to be true.
-        X = getSValBuilder().makeIntVal(1, B->getType());
+        // The value is known to be false.
+        assert(StFalse && "Infeasible path!");
+        X = getSValBuilder().makeIntVal(0, B->getType());
        }
-    } else {
-      // The value is known to be false.
-      assert(StFalse && "Infeasible path!");
-      X = getSValBuilder().makeIntVal(0, B->getType());
      }
    }
-
    Bldr.generateNode(B, Pred, state->BindExpr(B, Pred->getLocationContext(), X));
  }
  
diff --git a/test/Analysis/misc-ps.c b/test/Analysis/misc-ps.c

index ef89321fff6ccce7981f92b2693721ed16f63309..ef65e0d731c431403375802ed0ab70691e7e3352 100644 (file)
--- a/test/Analysis/misc-ps.c
+++ b/test/Analysis/misc-ps.c
@@ -151,3 +151,9 @@ int rdar_12075238_(unsigned long count) {
    return 0;
  }
  
+// Test that we handle an uninitialized value within a logical expression.
+void PR14635(int *p) {
+  int a = 0, b;
+  *p = a || b; // expected-warning {{Assigned value is garbage or undefined}}
+}
+
author	Ted Kremenek <kremenek@apple.com>
	Fri, 11 Jan 2013 22:35:39 +0000 (22:35 +0000)
committer	Ted Kremenek <kremenek@apple.com>
	Fri, 11 Jan 2013 22:35:39 +0000 (22:35 +0000)
lib/StaticAnalyzer/Core/ExprEngineC.cpp		patch \| blob \| history
test/Analysis/misc-ps.c		patch \| blob \| history