From 31d5daeb5c83e89b0baf4efe509932d583af966f Mon Sep 17 00:00:00 2001 From: Alexander Shaposhnikov Date: Mon, 25 Sep 2017 19:32:33 +0000 Subject: [PATCH] [analyzer] Fix crash on modeling of pointer arithmetic This patch fixes analyzer's crash on the newly added test case (see also https://bugs.llvm.org/show_bug.cgi?id=34374). Pointers subtraction appears to be modeled incorrectly in the following example: char* p; auto n = p - reinterpret_cast((unsigned long)1); In this case the analyzer (built without this patch) tries to create a symbolic value for the difference treating reinterpret_cast((unsigned long)1) as an integer, that is not correct. Differential revision: https://reviews.llvm.org/D38214 Test plan: make check-all git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@314141 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp | 8 +++++--- test/Analysis/ptr-arith.cpp | 6 ++++++ 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp index f2aa2017ca..bb4c2a6b52 100644 --- a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp +++ b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp @@ -726,9 +726,11 @@ SVal SimpleSValBuilder::evalBinOpLL(ProgramStateRef state, if (Optional rInt = rhs.getAs()) { // If one of the operands is a symbol and the other is a constant, // build an expression for use by the constraint manager. - if (SymbolRef lSym = lhs.getAsLocSymbol(true)) - return MakeSymIntVal(lSym, op, rInt->getValue(), resultTy); - + if (SymbolRef lSym = lhs.getAsLocSymbol(true)) { + if (BinaryOperator::isComparisonOp(op)) + return MakeSymIntVal(lSym, op, rInt->getValue(), resultTy); + return UnknownVal(); + } // Special case comparisons to NULL. // This must come after the test if the LHS is a symbol, which is used to // build constraints. The address of any non-symbolic region is guaranteed diff --git a/test/Analysis/ptr-arith.cpp b/test/Analysis/ptr-arith.cpp index 01adf476e4..1eec83c643 100644 --- a/test/Analysis/ptr-arith.cpp +++ b/test/Analysis/ptr-arith.cpp @@ -111,3 +111,9 @@ bool ptrAsIntegerSubtractionNoCrash(__UINTPTR_TYPE__ x, char *p) { __UINTPTR_TYPE__ y = (__UINTPTR_TYPE__)p - 1; return y == x; } + +// Bug 34374 +bool integerAsPtrSubtractionNoCrash(char *p, __UINTPTR_TYPE__ m) { + auto n = p - reinterpret_cast((__UINTPTR_TYPE__)1); + return n == m; +} -- 2.49.0