[analyzer] pr37802: Fix symbolic-pointer-to-boolean casts during load.

The canonical representation of pointer &SymRegion{$x} casted to boolean is
"$x != 0", not "$x". Assertion added in r337227 catches that.

Differential Revision: https://reviews.llvm.org/D48232

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@337228 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
index c08cbb09ba82e76911b1dc5a7a48612fae63f4cd..7163e380e6c0abf9fdd3922018050bf102afac46 100644 (file)
--- a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
+++ b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
@@ -159,7 +159,8 @@ SVal SimpleSValBuilder::evalCastFromLoc(Loc val, QualType castTy) {
               return nonloc::SymbolVal(SymMgr.getExtentSymbol(FTR));
 
         if (const SymbolicRegion *SymR = R->getSymbolicBase())
-          return nonloc::SymbolVal(SymR->getSymbol());
+          return makeNonLoc(SymR->getSymbol(), BO_NE,
+                            BasicVals.getZeroWithPtrWidth(), castTy);
 
         // FALL-THROUGH
         LLVM_FALLTHROUGH;

diff --git a/test/Analysis/casts.cpp b/test/Analysis/casts.cpp
index 6499b20a79d34688a07bb578311002bbfcbfa5cc..757eb6da6623682a5c21fea801beb90bdfcd03d5 100644 (file)
--- a/test/Analysis/casts.cpp
+++ b/test/Analysis/casts.cpp
@@ -35,3 +35,9 @@ int *&&castToIntPtrRValueRef(char *p) {
 bool testCastToIntPtrRValueRef(char *p, int *s) {
   return castToIntPtrRValueRef(p) != s; // no-crash
 }
+
+bool retrievePointerFromBoolean(int *p) {
+  bool q;
+  *reinterpret_cast<int **>(&q) = p;
+  return q;
+}

diff --git a/test/Analysis/pr37802.cpp b/test/Analysis/pr37802.cpp
new file mode 100644 (file)
index 0000000..647e389
--- /dev/null
+++ b/test/Analysis/pr37802.cpp
@@ -0,0 +1,106 @@
+// RUN: %clang_analyze_cc1 -w -analyzer-checker=core -verify %s
+
+// expected-no-diagnostics
+
+void *operator new(unsigned long, void *h) { return h; }
+
+// I've no idea what this code does, but it used to crash, so let's keep it.
+namespace pr37802_v1 {
+struct J {
+  int *p;
+};
+class X {
+  void *ar;
+
+public:
+  X(void *t) : ar(t) {}
+  template <typename T>
+  void f(const T &t) {
+    new (ar) T(t);
+  }
+};
+class Y {
+public:
+  template <typename T>
+  void f(T &&);
+  void f(J t) {
+    f(*t.p);
+  }
+};
+class Z {
+  int at() const {}
+
+public:
+  Z(const Z &other) {
+    other.au(X(this));
+  }
+  template <typename T>
+  void au(T t) const {
+    void *c = const_cast<Z *>(this);
+    if (at()) {
+      t.f(*static_cast<J *>(c));
+    } else {
+      t.f(*static_cast<bool *>(c));
+    }
+  }
+};
+Z g() {
+  Z az = g();
+  Z e = az;
+  Y d;
+  e.au(d);
+}
+} // namespace pr37802_v1
+
+
+// This slightly modified code crashed differently.
+namespace pr37802_v2 {
+struct J {
+  int *p;
+};
+
+class X {
+  void *ar;
+
+public:
+  X(void *t) : ar(t) {}
+  void f(const J &t) { new (ar) J(t); }
+  void f(const bool &t) { new (ar) bool(t); }
+};
+
+class Y {
+public:
+  void boolf(bool &&);
+  void f(J &&);
+  void f(J t) { boolf(*t.p); }
+};
+
+class Z {
+  int at() const {}
+
+public:
+  Z(const Z &other) { other.au(X(this)); }
+  void au(X t) const {
+    void *c = const_cast<Z *>(this);
+    if (at()) {
+      t.f(*static_cast<J *>(c));
+    } else {
+      t.f(*static_cast<bool *>(c));
+    }
+  }
+  void au(Y t) const {
+    void *c = const_cast<Z *>(this);
+    if (at()) {
+      t.f(*static_cast<J *>(c));
+    } else {
+    }
+  }
+};
+
+Z g() {
+  Z az = g();
+  Z e = az;
+  Y d;
+  e.au(d);
+}
+} // namespace pr37802_v2