Fix: <rdar://problem/7242015> [RegionStore] variable passed-by-reference (via integer) to function call not invalidated

llvm-svn: 82523

1 files changed, 9 insertions, 8 deletions

diff --git a/clang/lib/Analysis/CFRefCount.cpp b/clang/lib/Analysis/CFRefCount.cpp
index 81ebccb76a0..970646f7642 100644
--- a/clang/lib/Analysis/CFRefCount.cpp
+++ b/clang/lib/Analysis/CFRefCount.cpp
@@ -2786,6 +2786,7 @@ void CFRefCount::EvalSummary(ExplodedNodeSet& Dst,
         continue;
       }
 
+  tryAgain:
     if (isa<Loc>(V)) {
       if (loc::MemRegionVal* MR = dyn_cast<loc::MemRegionVal>(&V)) {
         if (Summ.getArg(idx) == DoNothingByRef)
@@ -2837,17 +2838,17 @@ void CFRefCount::EvalSummary(ExplodedNodeSet& Dst,
       }
       else {
         // Nuke all other arguments passed by reference.
-        // FIXME: is this necessary or correct? unbind only removes the binding.
-        // We should bind it to UnknownVal explicitly. Otherwise default value
-        // may be loaded.
+        // FIXME: is this necessary or correct? This handles the non-Region
+        //  cases.  Is it ever valid to store to these?
         state = state->unbindLoc(cast<Loc>(V));
       }
     }
-    else if (isa<nonloc::LocAsInteger>(V))
-      // FIXME: is this necessary or correct? unbind only removes the binding.
-      // We should bind it to UnknownVal explicitly. Otherwise default value
-      // may be loaded.
-      state = state->unbindLoc(cast<nonloc::LocAsInteger>(V).getLoc());
+    else if (isa<nonloc::LocAsInteger>(V)) {
+      // If we are passing a location wrapped as an integer, unwrap it and
+      // invalidate the values referred by the location.
+      V = cast<nonloc::LocAsInteger>(V).getLoc();
+      goto tryAgain;
+    }
   }
 
   // Evaluate the effect on the message receiver.