From b5deae519b1f86d514427c412d9f8873d93c909c Mon Sep 17 00:00:00 2001 From: Ted Kremenek Date: Fri, 16 Oct 2009 20:46:24 +0000 Subject: [PATCH] Fix static analyzer crash due to recently add symbolic-value constant folding. The issue was falsely converting the constant value of the LHS of a '<<'/'>>' operation to the same APSInt value of the RHS. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@84269 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/Analysis/SimpleSValuator.cpp | 10 +++++++++- test/Analysis/misc-ps.m | 12 ++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/lib/Analysis/SimpleSValuator.cpp b/lib/Analysis/SimpleSValuator.cpp index 636ce15c33..5af4c062e0 100644 --- a/lib/Analysis/SimpleSValuator.cpp +++ b/lib/Analysis/SimpleSValuator.cpp @@ -349,7 +349,15 @@ SVal SimpleSValuator::EvalBinOpNN(const GRState *state, // Does the symbol simplify to a constant? if (Sym->getType(ValMgr.getContext())->isIntegerType()) if (const llvm::APSInt *Constant = state->getSymVal(Sym)) { - // What should we convert it to? + // For shifts, there is no need to perform any conversions + // of the constant. + if (BinaryOperator::isShiftOp(op)) { + lhs = nonloc::ConcreteInt(*Constant); + continue; + } + + // Other cases: do an implicit conversion. This shouldn't be + // necessary once we support truncation/extension of symbolic values. if (nonloc::ConcreteInt *rhs_I = dyn_cast(&rhs)){ BasicValueFactory &BVF = ValMgr.getBasicValueFactory(); lhs = nonloc::ConcreteInt(BVF.Convert(rhs_I->getValue(), diff --git a/test/Analysis/misc-ps.m b/test/Analysis/misc-ps.m index 10e5823c20..48d1111a60 100644 --- a/test/Analysis/misc-ps.m +++ b/test/Analysis/misc-ps.m @@ -691,4 +691,16 @@ void test_constant_symbol(signed char x) { } } +// Test constant-folding of symbolic values, where a folded symbolic value is used in a +// bitshift operation. This previously caused a crash because it triggered an assertion +// in APSInt. +void test_symbol_fold_with_shift(unsigned int * p, unsigned int n, + const unsigned int * grumpkin, unsigned int dn) { + unsigned int i; + unsigned int tempsub[8]; + unsigned int *solgrumpkin = tempsub + n; + for (i = 0; i < n; i++) + solgrumpkin[i] = (i < dn) ? ~grumpkin[i] : 0xFFFFFFFF; + for (i <<= 5; i < (n << 5); i++) {} +} -- 2.40.0