diff options
| author | Ted Kremenek <kremenek@apple.com> | 2009-12-16 03:18:58 +0000 |
|---|---|---|
| committer | Ted Kremenek <kremenek@apple.com> | 2009-12-16 03:18:58 +0000 |
| commit | 4cad5fc0354fbe75e4fe383a8fb704ab70a8aaf0 (patch) | |
| tree | 1f806dcdc391d29e30886faa6fe459035c7579ca /clang/lib/Analysis/RegionStore.cpp | |
| parent | 11ba8d989c9e5f821154bcc07d158f99527d4d0e (diff) | |
| download | bcm5719-llvm-4cad5fc0354fbe75e4fe383a8fb704ab70a8aaf0.tar.gz bcm5719-llvm-4cad5fc0354fbe75e4fe383a8fb704ab70a8aaf0.zip | |
Add (initial?) static analyzer support for handling C++ references.
This change was a lot bigger than I originally anticipated; among
other things it requires us storing more information in the CFG to
record what block-level expressions need to be evaluated as lvalues.
The big change is that CFGBlocks no longer contain Stmt*'s by
CFGElements. Currently CFGElements just wrap Stmt*, but they also
store a bit indicating whether the block-level expression should be
evalauted as an lvalue. DeclStmts involving the initialization of a
reference require us treating the initialization expression as an
lvalue, even though that information isn't recorded in the AST.
Conceptually this change isn't that complicated, but it required
bubbling up the data through the CFGBuilder, to GRCoreEngine, and
eventually to GRExprEngine.
The addition of CFGElement is also useful for when we want to handle
more control-flow constructs or other data we want to keep in the CFG
that isn't represented well with just a block of statements.
In GRExprEngine, this patch introduces logic for evaluating the
lvalues of references, which currently retrieves the internal "pointer
value" that the reference represents. EvalLoad does a two stage load
to catch null dereferences involving an invalid reference (although
this could possibly be caught earlier during the initialization of a
reference).
Symbols are currently symbolicated using the reference type, instead
of a pointer type, and special handling is required creating
ElementRegions that layer on SymbolicRegions (see the changes to
RegionStoreManager).
Along the way, the DeadStoresChecker also silences warnings involving
dead stores to references. This was the original change I introduced
(which I wrote test cases for) that I realized caused GRExprEngine to
crash.
llvm-svn: 91501
Diffstat (limited to 'clang/lib/Analysis/RegionStore.cpp')
| -rw-r--r-- | clang/lib/Analysis/RegionStore.cpp | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/clang/lib/Analysis/RegionStore.cpp b/clang/lib/Analysis/RegionStore.cpp index a96f6c85be8..bc3680e23da 100644 --- a/clang/lib/Analysis/RegionStore.cpp +++ b/clang/lib/Analysis/RegionStore.cpp @@ -1424,7 +1424,13 @@ const GRState *RegionStoreManager::Bind(const GRState *state, Loc L, SVal V) { // Binding directly to a symbolic region should be treated as binding // to element 0. QualType T = SR->getSymbol()->getType(getContext()); - T = T->getAs<PointerType>()->getPointeeType(); + + // FIXME: Is this the right way to handle symbols that are references? + if (const PointerType *PT = T->getAs<PointerType>()) + T = PT->getPointeeType(); + else + T = T->getAs<ReferenceType>()->getPointeeType(); + R = GetElementZeroRegion(SR, T); } |
