From: Jordan Rose <jordan_rose@apple.com>
Date: Tue, 31 Jul 2012 16:34:07 +0000 (+0000)
Subject: [analyzer] Getting an lvalue for a reference field still requires a load.
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6b4be2ef4ce49717ff972434975ce3c34c9a1c4c;p=clang

[analyzer] Getting an lvalue for a reference field still requires a load.

This was causing a crash in our array-to-pointer logic, since the region
was clearly not an array.

PR13440 / <rdar://problem/11977113>

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161051 91177308-0d34-0410-b5e6-96231b3b80d8
---

diff --git a/lib/StaticAnalyzer/Core/ExprEngine.cpp b/lib/StaticAnalyzer/Core/ExprEngine.cpp
index a1cd23dc6b..b46dc49a1b 100644
--- a/lib/StaticAnalyzer/Core/ExprEngine.cpp
+++ b/lib/StaticAnalyzer/Core/ExprEngine.cpp
@@ -1522,10 +1522,17 @@ void ExprEngine::VisitMemberExpr(const MemberExpr *M, ExplodedNode *Pred,
 
   // For all other cases, compute an lvalue.    
   SVal L = state->getLValue(field, baseExprVal);
-  if (M->isGLValue())
+  if (M->isGLValue()) {
+    if (field->getType()->isReferenceType()) {
+      if (const MemRegion *R = L.getAsRegion())
+        L = state->getSVal(R);
+      else
+        L = UnknownVal();
+    }
+
     Bldr.generateNode(M, Pred, state->BindExpr(M, LCtx, L), false, 0,
                       ProgramPoint::PostLValueKind);
-  else {
+  } else {
     Bldr.takeNodes(Pred);
     evalLoad(Dst, M, M, Pred, state, L);
     Bldr.addNodes(Dst);
diff --git a/test/Analysis/reference.cpp b/test/Analysis/reference.cpp
index e80952b822..a12e0bd41c 100644
--- a/test/Analysis/reference.cpp
+++ b/test/Analysis/reference.cpp
@@ -1,4 +1,6 @@
-// RUN: %clang_cc1 -analyze -analyzer-checker=core,experimental.core -analyzer-store=region -analyzer-constraints=range -verify -Wno-null-dereference %s
+// RUN: %clang_cc1 -analyze -analyzer-checker=core,experimental.core,debug.ExprInspection -analyzer-store=region -analyzer-constraints=range -verify -Wno-null-dereference %s
+
+void clang_analyzer_eval(bool);
 
 typedef typeof(sizeof(int)) size_t;
 void malloc (size_t);
@@ -55,3 +57,36 @@ char t6 (char* p) {
   if (*p) return *p;
   return *(char*)0; // no-warning
 }
+
+
+// PR13440 / <rdar://problem/11977113>
+// Test that the array-to-pointer decay works for array references as well.
+// More generally, when we want an lvalue for a reference field, we still need
+// to do one level of load.
+namespace PR13440 {
+  typedef int T[1];
+  struct S {
+    T &x;
+
+    int *m() { return x; }
+  };
+
+  struct S2 {
+    int (&x)[1];
+
+    int *m() { return x; }
+  };
+
+  void test() {
+    int a[1];
+    S s = { a };
+    S2 s2 = { a };
+
+    if (s.x != a) return;
+    if (s2.x != a) return;
+
+    a[0] = 42;
+    clang_analyzer_eval(s.x[0] == 42); // expected-warning{{TRUE}}
+    clang_analyzer_eval(s2.x[0] == 42); // expected-warning{{TRUE}}
+  }
+}