Fix PR 5857. When casting from a symbolic region to an integer back to a pointer value, we were not correctly layering the correct ElementRegion on the original SymbolicRegion.

llvm-svn: 91981

2 files changed, 36 insertions, 9 deletions

diff --git a/clang/lib/Analysis/SValuator.cpp b/clang/lib/Analysis/SValuator.cpp
index ac727b0ac69..49bc0c4c598 100644
--- a/clang/lib/Analysis/SValuator.cpp
+++ b/clang/lib/Analysis/SValuator.cpp
@@ -72,10 +72,14 @@ SValuator::CastResult SValuator::EvalCast(SVal val, const GRState *state,
   // Check for casts from integers to pointers.
   if (Loc::IsLocType(castTy) && originalTy->isIntegerType()) {
     if (nonloc::LocAsInteger *LV = dyn_cast<nonloc::LocAsInteger>(&val)) {
-      // Just unpackage the lval and return it.
+      if (const MemRegion *R = LV->getLoc().getAsRegion()) {
+        StoreManager &storeMgr = ValMgr.getStateManager().getStoreManager();
+        R = storeMgr.CastRegion(R, castTy);
+        return R ? CastResult(state, loc::MemRegionVal(R))
+                 : CastResult(state, UnknownVal());
+      }
       return CastResult(state, LV->getLoc());
     }
-
     goto DispatchCast;
   }
 
@@ -136,15 +140,12 @@ SValuator::CastResult SValuator::EvalCast(SVal val, const GRState *state,
     // different type.  If the MemRegion* returned is NULL, this expression
     // evaluates to UnknownVal.
     R = storeMgr.CastRegion(R, castTy);
-
-    if (R)
-      return CastResult(state, loc::MemRegionVal(R));
-
-    return CastResult(state, UnknownVal());
+    return R ? CastResult(state, loc::MemRegionVal(R))
+             : CastResult(state, UnknownVal());
   }
 
-  // All other cases.
 DispatchCast:
+  // All other cases.
   return CastResult(state,
                     isa<Loc>(val) ? EvalCastL(cast<Loc>(val), castTy)
                                   : EvalCastNL(cast<NonLoc>(val), castTy));
diff --git a/clang/test/Analysis/misc-ps-region-store.m b/clang/test/Analysis/misc-ps-region-store.m
index 8eae643ec7d..7216608fe9f 100644
--- a/clang/test/Analysis/misc-ps-region-store.m
+++ b/clang/test/Analysis/misc-ps-region-store.m
@@ -1,5 +1,5 @@
 // RUN: %clang_cc1 -triple i386-apple-darwin9 -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=region -verify -fblocks -analyzer-opt-analyze-nested-blocks %s
-// RUN: %clang_cc1 -triple x86_64-apple-darwin9 -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=region -verify -fblocks   -analyzer-opt-analyze-nested-blocks %s
+// RUN: %clang_cc1 -triple x86_64-apple-darwin9 -DTEST_64 -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=region -verify -fblocks   -analyzer-opt-analyze-nested-blocks %s
 
 typedef struct objc_selector *SEL;
 typedef signed char BOOL;
@@ -23,6 +23,13 @@ extern id NSAllocateObject(Class aClass, NSUInteger extraBytes, NSZone *zone);
 @end
 extern NSString * const NSConnectionReplyMode;
 
+#ifdef TEST_64
+typedef long long int64_t;
+typedef int64_t intptr_t;
+#else
+typedef int int32_t;
+typedef int32_t intptr_t;
+#endif
 
 //---------------------------------------------------------------------------
 // Test case 'checkaccess_union' differs for region store and basic store.
@@ -636,3 +643,22 @@ void rdar7468209() {
   }();
 }
 
+//===----------------------------------------------------------------------===//
+// PR 5857 - Test loading an integer from a byte array that has also been
+//  reinterpreted to be loaded as a field.
+//===----------------------------------------------------------------------===//
+
+typedef struct { int x; } TestFieldLoad;
+int pr5857(char *src) {
+  TestFieldLoad *tfl = (TestFieldLoad *) (intptr_t) src;
+  int y = tfl->x;
+  long long *z = (long long *) (intptr_t) src;
+  long long w = 0;
+  int n = 0;
+  for (n = 0; n < y; ++n) {
+    // Previously we crashed analyzing this statement.
+    w = *z++;
+  }
+  return 1;
+}
+