Handle disgusting corner case where a byte is loaded from the address of a function.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@78000 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/lib/Analysis/RegionStore.cpp b/lib/Analysis/RegionStore.cpp
index 543783d924f5fd6725c273fb36d3252d60fd82ac..c47aaa20e07c9b1b938033aca2a55d6d55b77f74 100644 (file)
--- a/lib/Analysis/RegionStore.cpp
+++ b/lib/Analysis/RegionStore.cpp
@@ -882,6 +882,9 @@ RegionStoreManager::Retrieve(const GRState *state, Loc L, QualType T) {
     MR = MRMgr.getElementRegion(T, idx, MR, Ctx);
   }
   
+  if (isa<CodeTextRegion>(MR))
+    return SValuator::CastResult(state, UnknownVal());
+  
   // FIXME: Perhaps this method should just take a 'const MemRegion*' argument
   //  instead of 'Loc', and have the other Loc cases handled at a higher level.
   const TypedRegion *R = cast<TypedRegion>(MR);
@@ -1000,7 +1003,6 @@ SVal RegionStoreManager::RetrieveElement(const GRState* state,
   if (R->getIndex().isZeroConstant()) {
     if (const TypedRegion *superTR = dyn_cast<TypedRegion>(superR)) {
       ASTContext &Ctx = getContext();
-
       if (IsAnyPointerOrIntptr(superTR->getValueType(Ctx), Ctx)) {
         QualType valTy = R->getValueType(Ctx);
         if (IsAnyPointerOrIntptr(valTy, Ctx)) {

diff --git a/test/Analysis/misc-ps.m b/test/Analysis/misc-ps.m
index c4fa7a8a1d04f59caee27d7faf2ed1554fdaff09..5cfcd714cdb0640dfffb8b6bbc72b7a60ffa7523 100644 (file)
--- a/test/Analysis/misc-ps.m
+++ b/test/Analysis/misc-ps.m
@@ -499,3 +499,12 @@ void test_cast_const_voidptr() {
   char *p = &x[1];
   const void* q = p;
 }
+
+// Reduced from a crash when analyzing Wine.  This test handles loads from
+// function addresses.
+typedef long (*FARPROC)();
+FARPROC test_load_func(FARPROC origfun) {
+  if (!*(unsigned char*) origfun)
+    return origfun;
+  return 0;
+}