From: Ted Kremenek Date: Thu, 5 Apr 2012 05:56:31 +0000 (+0000) Subject: Handle symbolicating a reference in an initializer expression that we don't understand. X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b98b998e9a5637012ab39ad1dabdad7c798721e8;p=clang Handle symbolicating a reference in an initializer expression that we don't understand. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@154084 91177308-0d34-0410-b5e6-96231b3b80d8 --- diff --git a/lib/StaticAnalyzer/Core/ExprEngineC.cpp b/lib/StaticAnalyzer/Core/ExprEngineC.cpp index f277a2eaac..ee2d052f28 100644 --- a/lib/StaticAnalyzer/Core/ExprEngineC.cpp +++ b/lib/StaticAnalyzer/Core/ExprEngineC.cpp @@ -375,7 +375,12 @@ void ExprEngine::VisitDeclStmt(const DeclStmt *DS, ExplodedNode *Pred, // Recover some path-sensitivity if a scalar value evaluated to // UnknownVal. if (InitVal.isUnknown()) { - InitVal = svalBuilder.getConjuredSymbolVal(NULL, InitEx, LC, + QualType Ty = InitEx->getType(); + if (InitEx->isLValue()) { + Ty = getContext().getPointerType(Ty); + } + + InitVal = svalBuilder.getConjuredSymbolVal(NULL, InitEx, LC, Ty, currentBuilderContext->getCurrentBlockCount()); } B.takeNodes(N); diff --git a/test/Analysis/misc-ps-region-store.cpp b/test/Analysis/misc-ps-region-store.cpp index e0cedcce93..8d75fb8ef3 100644 --- a/test/Analysis/misc-ps-region-store.cpp +++ b/test/Analysis/misc-ps-region-store.cpp @@ -568,3 +568,13 @@ struct PR11146::Entry { void PR11146::baz() { (void) &Entry::x; } + +// Test symbolicating a reference. In this example, the +// analyzer (originally) didn't know how to handle x[index - index2], +// returning an UnknownVal. The conjured symbol wasn't a location, +// and would result in a crash. +void rdar10924675(unsigned short x[], int index, int index2) { + unsigned short &y = x[index - index2]; + if (y == 0) + return; +}