From 2a7b127580048185cc12b1fcbc0ea0e1d09a5d4b Mon Sep 17 00:00:00 2001 From: Gabor Horvath Date: Fri, 18 Sep 2015 19:13:22 +0000 Subject: [PATCH] [analyzer] A fix for substraction of an integer from a pointer. Patch by Artem Dergachev! Differential Revision: http://reviews.llvm.org/D12725 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@248021 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp | 3 ++- test/Analysis/ptr-arith.c | 17 +++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp index 6989526a56..a704ce2245 100644 --- a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp +++ b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp @@ -911,8 +911,9 @@ SVal SimpleSValBuilder::evalBinOpLN(ProgramStateRef state, elementType = elemReg->getElementType(); } else if (isa(region)) { + assert(op == BO_Add || op == BO_Sub); + index = (op == BO_Add) ? rhs : evalMinus(rhs); superR = region; - index = rhs; if (resultTy->isAnyPointerType()) elementType = resultTy->getPointeeType(); } diff --git a/test/Analysis/ptr-arith.c b/test/Analysis/ptr-arith.c index 96dc8bacbc..57463cc7c8 100644 --- a/test/Analysis/ptr-arith.c +++ b/test/Analysis/ptr-arith.c @@ -296,3 +296,20 @@ void symbolicFieldRegion(struct Point *points, int i, int j) { clang_analyzer_eval(&points[i].x < &points[i].y);// expected-warning{{TRUE}} } +void negativeIndex(char *str) { + *(str + 1) = 'a'; + clang_analyzer_eval(*(str + 1) == 'a'); // expected-warning{{TRUE}} + clang_analyzer_eval(*(str - 1) == 'a'); // expected-warning{{UNKNOWN}} + + char *ptr1 = str - 1; + clang_analyzer_eval(*ptr1 == 'a'); // expected-warning{{UNKNOWN}} + + char *ptr2 = str; + ptr2 -= 1; + clang_analyzer_eval(*ptr2 == 'a'); // expected-warning{{UNKNOWN}} + + char *ptr3 = str; + --ptr3; + clang_analyzer_eval(*ptr3 == 'a'); // expected-warning{{UNKNOWN}} +} + -- 2.50.1