From 702077f14100f2d7acdb12ad49b53e64efc37d72 Mon Sep 17 00:00:00 2001 From: Anna Zaks Date: Wed, 3 Apr 2013 21:34:12 +0000 Subject: [PATCH] [analyzer] Allow tracknullOrUndef look through the ternary operator even when condition is unknown Improvement of r178684 and r178685. Jordan has pointed out that I should not rely on the value of the condition to know which expression branch has been taken. It will not work in cases the branch condition is an unknown value (ex: we do not track the constraints for floats). The better way of doing this would be to find out if the current node is the right or left successor of the node that has the ternary operator as a terminator (which is how this is done in other places, like ConditionBRVisitor). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@178701 91177308-0d34-0410-b5e6-96231b3b80d8 --- .../Core/BugReporterVisitors.cpp | 30 +++++++++++-------- .../inlining/false-positive-suppression.c | 7 +++-- 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp b/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp index 60a7e65254..c3bbc3baf6 100644 --- a/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp +++ b/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp @@ -799,21 +799,25 @@ static const Expr *peelOffOuterExpr(const Expr *Ex, // Peel off the ternary operator. if (const ConditionalOperator *CO = dyn_cast(Ex)) { - const Expr *CondEx = CO->getCond(); - - // Find a node where the value of the condition is known. + // Find a node where the branching occured and find out which branch + // we took (true/false) by looking at the ExplodedGraph. + const ExplodedNode *NI = N; do { - ProgramStateRef State = N->getState(); - SVal CondVal = State->getSVal(CondEx, N->getLocationContext()); - ConditionTruthVal CondEvaluated = State->isNull(CondVal); - if (CondEvaluated.isConstrained()) { - if (CondEvaluated.isConstrainedTrue()) - return peelOffOuterExpr(CO->getFalseExpr(), N); - else - return peelOffOuterExpr(CO->getTrueExpr(), N); + ProgramPoint ProgPoint = NI->getLocation(); + if (Optional BE = ProgPoint.getAs()) { + const CFGBlock *srcBlk = BE->getSrc(); + if (const Stmt *term = srcBlk->getTerminator()) { + if (term == CO) { + bool TookTrueBranch = (*(srcBlk->succ_begin()) == BE->getDst()); + if (TookTrueBranch) + return peelOffOuterExpr(CO->getTrueExpr(), N); + else + return peelOffOuterExpr(CO->getFalseExpr(), N); + } + } } - N = N->getFirstPred(); - } while (N); + NI = NI->getFirstPred(); + } while (NI); } return Ex; } diff --git a/test/Analysis/inlining/false-positive-suppression.c b/test/Analysis/inlining/false-positive-suppression.c index 248d854dbc..a836d9c624 100644 --- a/test/Analysis/inlining/false-positive-suppression.c +++ b/test/Analysis/inlining/false-positive-suppression.c @@ -260,9 +260,10 @@ int testNestedConditionalOperator(int x) { return *(x ? (x ? 0 : getPtr()) : getPtr()); // expected-warning {{Dereference of null pointer}} } -// False Positve - we are unable to suppress this case because the condition is -// float. int testConditionalOperatorSuppressFloatCond(float x) { - return *(x ? getNull() : getPtr()); // expected-warning {{Dereference of null pointer}} + return *(x ? getNull() : getPtr()); +#ifndef SUPPRESSED + // expected-warning@-2 {{Dereference of null pointer}} +#endif } -- 2.40.0