When casting region, if we do not create an element region, record the cast-to

type.

When retrieving the region value, if we are going to create a symbol value, use
the cast-to type if possible.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@73690 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/include/clang/Analysis/PathSensitive/ValueManager.h b/include/clang/Analysis/PathSensitive/ValueManager.h
index 89af975de7af1ae6615a9050a0abaa41f67a1e9c..b86f4e875304fd4db322afc9d057ed9319a590e7 100644 (file)
--- a/include/clang/Analysis/PathSensitive/ValueManager.h
+++ b/include/clang/Analysis/PathSensitive/ValueManager.h
@@ -81,7 +81,7 @@ public:
   SVal makeZeroArrayIndex();
 
   /// GetRegionValueSymbolVal - make a unique symbol for value of R.
-  SVal getRegionValueSymbolVal(const MemRegion* R);
+  SVal getRegionValueSymbolVal(const MemRegion* R, QualType T = QualType());
   
   SVal getConjuredSymbolVal(const Expr *E, unsigned Count);  
   SVal getConjuredSymbolVal(const Expr* E, QualType T, unsigned Count);

diff --git a/lib/Analysis/RegionStore.cpp b/lib/Analysis/RegionStore.cpp
index d67fa84c71379fd3ff9bea037babad6c7275b990..af8c7c9a9b2dcebb4d7b958a8af4d00a508ee1e7 100644 (file)
--- a/lib/Analysis/RegionStore.cpp
+++ b/lib/Analysis/RegionStore.cpp
@@ -584,6 +584,7 @@ SVal RegionStoreManager::getSizeInElements(const GRState *state,
       QualType VarTy = VR->getValueType(getContext());
       uint64_t EleSize = getContext().getTypeSize(EleTy);
       uint64_t VarSize = getContext().getTypeSize(VarTy);
+      assert(VarSize != 0);
       return NonLoc::MakeIntVal(getBasicVals(), VarSize / EleSize, false);
     }
 
@@ -710,15 +711,18 @@ RegionStoreManager::CastRegion(const GRState *state, const MemRegion* R,
     uint64_t ObjTySize = getContext().getTypeSize(ObjTy);
 
     if ((PointeeTySize > 0 && PointeeTySize < ObjTySize) ||
-        (ObjTy->isAggregateType() && PointeeTy->isScalarType())) {
+        (ObjTy->isAggregateType() && PointeeTy->isScalarType()) ||
+       ObjTySize == 0 /* R has 'void*' type. */) {
       // Record the cast type of the region.
       state = setCastType(state, R, ToTy);
 
       SVal Idx = ValMgr.makeZeroArrayIndex();
       ElementRegion* ER = MRMgr.getElementRegion(PointeeTy, Idx,R,getContext());
       return CastResult(state, ER);
-    } else
+    } else {
+      state = setCastType(state, R, ToTy);
       return CastResult(state, R);
+    }
   }
 
   if (isa<ObjCObjectRegion>(R)) {
@@ -930,14 +934,22 @@ SVal RegionStoreManager::Retrieve(const GRState *state, Loc L, QualType T) {
     return UndefinedVal();
   }
 
+  // If the region is already cast to another type, use that type to create the
+  // symbol value.
+  if (const QualType *p = state->get<RegionCasts>(R)) {
+    QualType T = *p;
+    RTy = T->getAsPointerType()->getPointeeType();
+  }
+
   // All other integer values are symbolic.
   if (Loc::IsLocType(RTy) || RTy->isIntegerType())
-    return ValMgr.getRegionValueSymbolVal(R);
+    return ValMgr.getRegionValueSymbolVal(R, RTy);
   else
     return UnknownVal();
 }
 
-SVal RegionStoreManager::RetrieveStruct(const GRState *state, const TypedRegion* R){
+SVal RegionStoreManager::RetrieveStruct(const GRState *state, 
+                                       const TypedRegion* R){
   QualType T = R->getValueType(getContext());
   assert(T->isStructureType());
 
@@ -1220,8 +1232,8 @@ const GRState *RegionStoreManager::RemoveRegionView(const GRState *state,
   return state->set<RegionViewMap>(Base, RVFactory.Remove(*d, View));
 }
 
-const GRState *RegionStoreManager::setCastType(const GRState *state, const MemRegion* R,
-                                           QualType T) {
+const GRState *RegionStoreManager::setCastType(const GRState *state, 
+                                              const MemRegion* R, QualType T) {
   return state->set<RegionCasts>(R, T);
 }
 

diff --git a/lib/Analysis/SVals.cpp b/lib/Analysis/SVals.cpp
index e19b16867b39256144358b1b63dddde2fd3e0382..285d51e506c30e0d950ff82cfc3822cab2af4e6d 100644 (file)
--- a/lib/Analysis/SVals.cpp
+++ b/lib/Analysis/SVals.cpp
@@ -322,11 +322,12 @@ NonLoc NonLoc::MakeCompoundVal(QualType T, llvm::ImmutableList<SVal> Vals,
   return nonloc::CompoundVal(BasicVals.getCompoundValData(T, Vals));
 }
 
-SVal ValueManager::getRegionValueSymbolVal(const MemRegion* R) {
+SVal ValueManager::getRegionValueSymbolVal(const MemRegion* R, QualType T) {
   SymbolRef sym = SymMgr.getRegionValueSymbol(R);
                                 
   if (const TypedRegion* TR = dyn_cast<TypedRegion>(R)) {
-    QualType T = TR->getValueType(SymMgr.getContext());
+    if (!T.getTypePtr())
+      T = TR->getValueType(SymMgr.getContext());
 
     // If T is of function pointer type, create a CodeTextRegion wrapping a
     // symbol.

diff --git a/test/Analysis/casts.c b/test/Analysis/casts.c
index 94a1eac0a316a84d81874d0959ce6cf3ad2a29a5..c5fcdd92e1c66ed0e38737d6c475afafa18ed276 100644 (file)
--- a/test/Analysis/casts.c
+++ b/test/Analysis/casts.c
@@ -14,3 +14,19 @@ void f(int sock) {
     ;
   }
 }
+
+struct s {
+  struct s *value;
+};
+
+// ElementRegion and cast-to pointee type may be of the same size:
+// 'struct s **' and 'int'.
+
+int f1(struct s **pval) {
+  int *tbool = ((void*)0);
+  struct s *t = *pval;
+  pval = &(t->value);
+  tbool = (int *)pval;
+  char c = (unsigned char) *tbool;
+}
+