Refine PointerSubChecker: compare the base region instead of the original

region, so that arithmetic within a memory chunk is allowed.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@86652 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/include/clang/Analysis/PathSensitive/MemRegion.h b/include/clang/Analysis/PathSensitive/MemRegion.h
index 91db5982495b32426858fd5109435a3d079ff51e..06d0d976df011555b3bb103c36163b0fe98a367d 100644 (file)
--- a/include/clang/Analysis/PathSensitive/MemRegion.h
+++ b/include/clang/Analysis/PathSensitive/MemRegion.h
@@ -75,6 +75,8 @@ public:
 
   const MemSpaceRegion *getMemorySpace() const;
 
+  const MemRegion *getBaseRegion() const;
+
   const MemRegion *StripCasts() const;
 
   bool hasStackStorage() const;

diff --git a/lib/Analysis/MemRegion.cpp b/lib/Analysis/MemRegion.cpp
index ad3d36e79d10fe28b2a98354443b4850147514af..8c0b85c0c729689c6cf848b1da10d5f6ede43608 100644 (file)
--- a/lib/Analysis/MemRegion.cpp
+++ b/lib/Analysis/MemRegion.cpp
@@ -378,6 +378,24 @@ bool MemRegion::hasGlobalsOrParametersStorage() const {
   return false;
 }
 
+// getBaseRegion strips away all elements and fields, and get the base region
+// of them.
+const MemRegion *MemRegion::getBaseRegion() const {
+  const MemRegion *R = this;
+  while (true) {
+    if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
+      R = ER->getSuperRegion();
+      continue;
+    }
+    if (const FieldRegion *FR = dyn_cast<FieldRegion>(R)) {
+      R = FR->getSuperRegion();
+      continue;
+    }
+    break;
+  }
+  return R;
+}
+
 //===----------------------------------------------------------------------===//
 // View handling.
 //===----------------------------------------------------------------------===//

diff --git a/lib/Analysis/PointerSubChecker.cpp b/lib/Analysis/PointerSubChecker.cpp
index 5cac8aa99e7968f9349e7836cfdd3de116f95c39..20279c67b3eb886a110a9895844d5d019a876da3 100644 (file)
--- a/lib/Analysis/PointerSubChecker.cpp
+++ b/lib/Analysis/PointerSubChecker.cpp
@@ -48,11 +48,17 @@ void PointerSubChecker::PreVisitBinaryOperator(CheckerContext &C,
   const MemRegion *LR = LV.getAsRegion();
   const MemRegion *RR = RV.getAsRegion();
 
-  if (!(LR && RR) || (LR == RR))
+  if (!(LR && RR))
     return;
 
-  // We don't reason about SymbolicRegions for now.
-  if (isa<SymbolicRegion>(LR) || isa<SymbolicRegion>(RR))
+  const MemRegion *BaseLR = LR->getBaseRegion();
+  const MemRegion *BaseRR = RR->getBaseRegion();
+
+  if (BaseLR == BaseRR)
+    return;
+
+  // Allow arithmetic on different symbolic regions.
+  if (isa<SymbolicRegion>(BaseLR) || isa<SymbolicRegion>(BaseRR))
     return;
 
   if (ExplodedNode *N = C.GenerateNode(B)) {

diff --git a/test/Analysis/ptr-arith.c b/test/Analysis/ptr-arith.c
index 3659ef33658c3bc373753fc89e7a92a3636e93ee..f77d7f5ee5ad23d1d0d1ad56818881d58a7ffd40 100644 (file)
--- a/test/Analysis/ptr-arith.c
+++ b/test/Analysis/ptr-arith.c
@@ -35,6 +35,11 @@ domain_port (const char *domain_b, const char *domain_e,
 void f3() {
   int x, y;
   int d = &y - &x; // expected-warning{{Subtraction of two pointers that do not point to the same memory chunk may cause incorrect result.}}
+
+  int a[10];
+  int *p = &a[2];
+  int *q = &a[8];
+  d = q-p; // no-warning
 }
 
 void f4() {