[analyzer] Make default bindings to variables actually work.

Default RegionStore bindings represent values that can be obtained by loading
from anywhere within the region, not just the specific offset within the region
that they are said to be bound to. For example, default-binding a character \0
to an int (eg., via memset()) means that the whole int is 0, not just
that its lower byte is 0.

Even though memset and bzero were modeled this way, it didn't work correctly
when applied to simple variables. Eg., in

  int x;
  memset(x, 0, sizeof(x));

we did produce a default binding, but were unable to read it later, and 'x'
was perceived as an uninitialized variable even after memset.

At the same time, if we replace 'x' with a variable of a structure or array
type, accessing fields or elements of such variable was working correctly,
which was enough for most cases. So this was only a problem for variables of
simple integer/enumeration/floating-point/pointer types.

Fix loading default bindings from RegionStore for regions of simple variables.

Add a unit test to document the API contract as well.

Differential Revision: https://reviews.llvm.org/D60742

llvm-svn: 358722

1 files changed, 4 insertions, 1 deletions

diff --git a/clang/lib/StaticAnalyzer/Core/RegionStore.cpp b/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
index 1782d46e614..ffb25dc3d16 100644
--- a/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
+++ b/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
@@ -1927,7 +1927,10 @@ SVal RegionStoreManager::getBindingForVar(RegionBindingsConstRef B,
                                           const VarRegion *R) {
 
   // Check if the region has a binding.
-  if (const Optional<SVal> &V = B.getDirectBinding(R))
+  if (Optional<SVal> V = B.getDirectBinding(R))
+    return *V;
+
+  if (Optional<SVal> V = B.getDefaultBinding(R))
     return *V;
 
   // Lazily derive a value for the VarRegion.