From: Jordan Rose Date: Sat, 30 Mar 2013 01:31:42 +0000 (+0000) Subject: [analyzer] Handle caching out while evaluating a C++ new expression. X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e6f2bf86288bc45060b21c4f55a6153b8ba80443;p=clang [analyzer] Handle caching out while evaluating a C++ new expression. Evaluating a C++ new expression now includes generating an intermediate ExplodedNode, and this node could very well represent a previously- reachable state in the ExplodedGraph. If so, we can short-circuit the rest of the evaluation. Caught by the assertion a few lines later. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178401 91177308-0d34-0410-b5e6-96231b3b80d8 --- diff --git a/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp b/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp index c1dd6b2220..64c361d4d8 100644 --- a/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp +++ b/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp @@ -351,15 +351,16 @@ void ExprEngine::VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred, State = State->BindExpr(CNE, LCtx, symVal); } - Bldr.generateNode(CNE, Pred, State); + ExplodedNode *NewN = Bldr.generateNode(CNE, Pred, State); + if (!NewN) + return; // If the type is not a record, we won't have a CXXConstructExpr as an // initializer. Copy the value over. if (const Expr *Init = CNE->getInitializer()) { if (!isa(Init)) { assert(Bldr.getResults().size() == 1); - ExplodedNode *TmpN = *Bldr.getResults().begin(); - Bldr.takeNodes(TmpN); + Bldr.takeNodes(NewN); assert(!CNE->getType()->getPointeeCXXRecordDecl()); diff --git a/test/Analysis/new.cpp b/test/Analysis/new.cpp index 004a05ef94..44ae9802f8 100644 --- a/test/Analysis/new.cpp +++ b/test/Analysis/new.cpp @@ -94,6 +94,14 @@ void testNewInvalidationScalarPlacement(int **p) { new (p) (int *)(static_cast(malloc(4))); // no-warning } +void testCacheOut(PtrWrapper w) { + extern bool coin(); + if (coin()) + w.x = 0; + new (&w.x) (int*)(0); // we cache out here; don't crash +} + + //-------------------------------------------------------------------- // Check for intersection with other checkers from MallocChecker.cpp // bounded with unix.Malloc