[analyzer] Fix unreachable creating PathDiagnosticLocation with widen-loops=true

In the original design of the analyzer, it was assumed that a BlockEntrance
doesn't create a new binding on the Store, but this assumption isn't true when
'widen-loops' is set to true. Fix this by finding an appropriate location
BlockEntrace program points.

Patch by Henry Wong!

Differential Revision: https://reviews.llvm.org/D37187

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@319333 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/lib/StaticAnalyzer/Core/PathDiagnostic.cpp b/lib/StaticAnalyzer/Core/PathDiagnostic.cpp
index 907755683f47c60c8e94a38f2da0f1e47e60802b..669748c0127ab8a5495e48ce297b6f24a286ec82 100644 (file)
--- a/lib/StaticAnalyzer/Core/PathDiagnostic.cpp
+++ b/lib/StaticAnalyzer/Core/PathDiagnostic.cpp
@@ -690,6 +690,15 @@ PathDiagnosticLocation::create(const ProgramPoint& P,
     return getLocationForCaller(CEE->getCalleeContext(),
                                 CEE->getLocationContext(),
                                 SMng);
+  } else if (Optional<BlockEntrance> BE = P.getAs<BlockEntrance>()) {
+    CFGElement BlockFront = BE->getBlock()->front();
+    if (auto StmtElt = BlockFront.getAs<CFGStmt>()) {
+      return PathDiagnosticLocation(StmtElt->getStmt()->getLocStart(), SMng);
+    } else if (auto NewAllocElt = BlockFront.getAs<CFGNewAllocator>()) {
+      return PathDiagnosticLocation(
+          NewAllocElt->getAllocatorExpr()->getLocStart(), SMng);
+    }
+    llvm_unreachable("Unexpected CFG element at front of block");
   } else {
     llvm_unreachable("Unexpected ProgramPoint");
   }

diff --git a/test/Analysis/loop-widening-notes.cpp b/test/Analysis/loop-widening-notes.cpp
new file mode 100644 (file)
index 0000000..56bde74
--- /dev/null
+++ b/test/Analysis/loop-widening-notes.cpp
@@ -0,0 +1,72 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha -analyzer-max-loop 2 -analyzer-config widen-loops=true -analyzer-output=text -verify %s
+
+int *p_a;
+int bar();
+int flag_a;
+int test_for_bug_25609() {
+  if (p_a == 0) // expected-note {{Assuming 'p_a' is equal to null}} 
+                // expected-note@-1 {{Taking true branch}}
+    bar();
+  for (int i = 0;  // expected-note {{Loop condition is true.  Entering loop body}}                    
+                   // expected-note@-1 {{Loop condition is false. Execution continues on line 16}}
+       ++i,        // expected-note {{Value assigned to 'p_a'}} 
+       i < flag_a;
+       ++i) {}
+                                      
+  *p_a = 25609; // no-crash expected-warning {{Dereference of null pointer (loaded from variable 'p_a')}}
+                // expected-note@-1 {{Dereference of null pointer (loaded from variable 'p_a')}}
+  return *p_a;
+}
+
+int flag_b;
+int while_analyzer_output() {
+  flag_b = 100;
+  int num = 10;
+  while (flag_b-- > 0) { // expected-note {{Loop condition is true.  Entering loop body}} 
+                         // expected-note@-1 {{Value assigned to 'num'}} 
+                         // expected-note@-2 {{Loop condition is false. Execution continues on line 30}}
+    num = flag_b;
+  }
+  if (num < 0) // expected-note {{Assuming 'num' is >= 0}} 
+               // expected-note@-1 {{Taking false branch}}
+    flag_b = 0;
+  else if (num >= 1) // expected-note {{Assuming 'num' is < 1}} 
+                     // expected-note@-1 {{Taking false branch}}
+    flag_b = 50;
+  else
+    flag_b = 100;
+  return flag_b / num; // no-crash expected-warning {{Division by zero}} 
+                       // expected-note@-1 {{Division by zero}}
+}
+
+int flag_c;
+int do_while_analyzer_output() {
+  int num = 10;
+  do {   // expected-note {{Loop condition is true. Execution continues on line 47}} 
+         // expected-note@-1 {{Loop condition is false.  Exiting loop}}
+    num--;
+  } while (flag_c-- > 0); //expected-note {{Value assigned to 'num'}}
+  int local = 0;
+  if (num == 0)       // expected-note {{Assuming 'num' is equal to 0}} 
+                      // expected-note@-1 {{Taking true branch}}
+    local = 10 / num; // no-crash expected-warning {{Division by zero}}
+                      // expected-note@-1 {{Division by zero}}
+  return local;
+}
+
+int flag_d;
+int test_for_loop() {
+  int num = 10;
+  for (int i = 0;    // expected-note {{Loop condition is true.  Entering loop body}} 
+                     // expected-note@-1 {{Loop condition is false. Execution continues on line 67}}
+       new int(10),  // expected-note {{Value assigned to 'num'}}
+       i < flag_d;
+       ++i) {         
+    ++num;
+  }
+  if (num == 0) // expected-note {{Assuming 'num' is equal to 0}} 
+                // expected-note@-1 {{Taking true branch}}
+    flag_d += 10;
+  return flag_d / num; // no-crash expected-warning {{Division by zero}} 
+                       // expected-note@-1 {{Division by zero}}
+}