diff options
| author | Jordan Rose <jordan_rose@apple.com> | 2012-08-20 17:04:45 +0000 |
|---|---|---|
| committer | Jordan Rose <jordan_rose@apple.com> | 2012-08-20 17:04:45 +0000 |
| commit | 0a9ea7c70de2db1e8de3f75fbac61d302ef52375 (patch) | |
| tree | b088b91232261fb4babfbbb068b99b05b31f74f2 | |
| parent | 486290078c7af9afefe0564f2094047f07ee84a5 (diff) | |
| download | bcm5719-llvm-0a9ea7c70de2db1e8de3f75fbac61d302ef52375.tar.gz bcm5719-llvm-0a9ea7c70de2db1e8de3f75fbac61d302ef52375.zip | |
[analyzer] The result of && or || is always a 1 or 0.
Forgetting to at least cast the result was giving us Loc/NonLoc problems
in SValBuilder (hitting an assertion). But the standard (both C and C++)
does actually guarantee that && and || will result in the actual values
1 and 0, typed as 'int' in C and 'bool' in C++, and we can easily model that.
PR13461
llvm-svn: 162209
| -rw-r--r-- | clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp | 22 | ||||
| -rw-r--r-- | clang/test/Analysis/logical-ops.c | 27 |
2 files changed, 47 insertions, 2 deletions
diff --git a/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp b/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp index 46cba81b14f..3e14765875d 100644 --- a/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp +++ b/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp @@ -531,10 +531,28 @@ void ExprEngine::VisitLogicalExpr(const BinaryOperator* B, ExplodedNode *Pred, else { // If there is no terminator, by construction the last statement // in SrcBlock is the value of the enclosing expression. + // However, we still need to constrain that value to be 0 or 1. assert(!SrcBlock->empty()); CFGStmt Elem = cast<CFGStmt>(*SrcBlock->rbegin()); - const Stmt *S = Elem.getStmt(); - X = N->getState()->getSVal(S, Pred->getLocationContext()); + const Expr *RHS = cast<Expr>(Elem.getStmt()); + SVal RHSVal = N->getState()->getSVal(RHS, Pred->getLocationContext()); + + DefinedOrUnknownSVal DefinedRHS = cast<DefinedOrUnknownSVal>(RHSVal); + ProgramStateRef StTrue, StFalse; + llvm::tie(StTrue, StFalse) = N->getState()->assume(DefinedRHS); + if (StTrue) { + if (StFalse) { + // We can't constrain the value to 0 or 1; the best we can do is a cast. + X = getSValBuilder().evalCast(RHSVal, B->getType(), RHS->getType()); + } else { + // The value is known to be true. + X = getSValBuilder().makeIntVal(1, B->getType()); + } + } else { + // The value is known to be false. + assert(StFalse && "Infeasible path!"); + X = getSValBuilder().makeIntVal(0, B->getType()); + } } Bldr.generateNode(B, Pred, state->BindExpr(B, Pred->getLocationContext(), X)); diff --git a/clang/test/Analysis/logical-ops.c b/clang/test/Analysis/logical-ops.c new file mode 100644 index 00000000000..a1223b39fa8 --- /dev/null +++ b/clang/test/Analysis/logical-ops.c @@ -0,0 +1,27 @@ +// RUN: %clang_cc1 -analyze -analyzer-checker=core,debug.ExprInspection -verify %s + +void clang_analyzer_eval(int); + +void testAnd(int i, int *p) { + int *nullP = 0; + int *knownP = &i; + clang_analyzer_eval((knownP && knownP) == 1); // expected-warning{{TRUE}} + clang_analyzer_eval((knownP && nullP) == 0); // expected-warning{{TRUE}} + clang_analyzer_eval((knownP && p) == 1); // expected-warning{{UNKNOWN}} +} + +void testOr(int i, int *p) { + int *nullP = 0; + int *knownP = &i; + clang_analyzer_eval((nullP || knownP) == 1); // expected-warning{{TRUE}} + clang_analyzer_eval((nullP || nullP) == 0); // expected-warning{{TRUE}} + clang_analyzer_eval((nullP || p) == 1); // expected-warning{{UNKNOWN}} +} + + +// PR13461 +int testTypeIsInt(int i, void *p) { + if (i | (p && p)) + return 1; + return 0; +} |
