From: Anna Zaks Date: Wed, 5 Sep 2012 23:41:54 +0000 (+0000) Subject: [analyzer] Enhance the member expr tracking to account for references. X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9b925ac059089dfe74e3b8fa5effe519fb9ee885;p=clang [analyzer] Enhance the member expr tracking to account for references. As per Jordan's suggestion. (Came out of code review for r163261.) git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@163269 91177308-0d34-0410-b5e6-96231b3b80d8 --- diff --git a/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitor.h b/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitor.h index f3206964e3..fe64f93d0d 100644 --- a/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitor.h +++ b/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitor.h @@ -256,6 +256,8 @@ void trackNullOrUndefValue(const ExplodedNode *N, const Stmt *S, BugReport &R); const Stmt *GetDerefExpr(const ExplodedNode *N); const Stmt *GetDenomExpr(const ExplodedNode *N); const Stmt *GetRetValExpr(const ExplodedNode *N); +bool isDeclRefExprToReference(const Expr *E); + } // end namespace clang } // end namespace ento diff --git a/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp b/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp index 45f40368ea..45d854b008 100644 --- a/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp +++ b/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp @@ -130,7 +130,7 @@ void DereferenceChecker::reportBug(ProgramStateRef State, const Stmt *S, } case Stmt::MemberExprClass: { const MemberExpr *M = cast(S); - if (M->isArrow()) { + if (M->isArrow() || bugreporter::isDeclRefExprToReference(M->getBase())) { llvm::raw_svector_ostream os(buf); os << "Access to field '" << M->getMemberNameInfo() << "' results in a dereference of a null pointer"; diff --git a/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp b/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp index be90de1f34..d5fe1e0a45 100644 --- a/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp +++ b/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp @@ -31,6 +31,13 @@ using namespace ento; // Utility functions. //===----------------------------------------------------------------------===// +bool bugreporter::isDeclRefExprToReference(const Expr *E) { + if (const DeclRefExpr *DRE = dyn_cast(E)) { + return DRE->getDecl()->getType()->isReferenceType(); + } + return false; +} + const Stmt *bugreporter::GetDerefExpr(const ExplodedNode *N) { // Pattern match for a few useful cases (do something smarter later): // a[0], p->f, *p @@ -54,7 +61,7 @@ const Stmt *bugreporter::GetDerefExpr(const ExplodedNode *N) { return U->getSubExpr()->IgnoreParenCasts(); } else if (const MemberExpr *ME = dyn_cast(S)) { - if (ME->isArrow()) { + if (ME->isArrow() || isDeclRefExprToReference(ME->getBase())) { return ME->getBase()->IgnoreParenCasts(); } } diff --git a/test/Analysis/diagnostics/deref-track-symbolic-region.cpp b/test/Analysis/diagnostics/deref-track-symbolic-region.cpp new file mode 100644 index 0000000000..87313de13a --- /dev/null +++ b/test/Analysis/diagnostics/deref-track-symbolic-region.cpp @@ -0,0 +1,16 @@ +// RUN: %clang_cc1 -analyze -analyzer-checker=core -analyzer-output=text -verify %s + +struct S { + int *x; + int y; +}; + +S &getSomeReference(); +void test(S *p) { + S &r = *p; //expected-note {{Variable 'r' initialized here}} + if (p) return; + //expected-note@-1{{Taking false branch}} + //expected-note@-2{{Assuming pointer value is null}} + r.y = 5; // expected-warning {{Access to field 'y' results in a dereference of a null pointer (loaded from variable 'r')}} + // expected-note@-1{{Access to field 'y' results in a dereference of a null pointer (loaded from variable 'r')}} +}