Teach static analyzer about the basics of handling new[]. We still don't simulate constructors, but at least the analyzer doesn't think the return value is uninitialized.

llvm-svn: 128611

1 files changed, 12 insertions, 9 deletions

diff --git a/clang/lib/StaticAnalyzer/Core/CXXExprEngine.cpp b/clang/lib/StaticAnalyzer/Core/CXXExprEngine.cpp
index b015d4f264d..b299fcc1c1d 100644
--- a/clang/lib/StaticAnalyzer/Core/CXXExprEngine.cpp
+++ b/clang/lib/StaticAnalyzer/Core/CXXExprEngine.cpp
@@ -199,20 +199,23 @@ void ExprEngine::VisitCXXDestructor(const CXXDestructorDecl *DD,
 
 void ExprEngine::VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred,
                                    ExplodedNodeSet &Dst) {
-  if (CNE->isArray()) {
-    // FIXME: allocating an array has not been handled.
-    return;
-  }
-
+  
   unsigned Count = Builder->getCurrentBlockCount();
   DefinedOrUnknownSVal symVal =
     svalBuilder.getConjuredSymbolVal(NULL, CNE, CNE->getType(), Count);
-  const MemRegion *NewReg = cast<loc::MemRegionVal>(symVal).getRegion();
-
+  const MemRegion *NewReg = cast<loc::MemRegionVal>(symVal).getRegion();  
   QualType ObjTy = CNE->getType()->getAs<PointerType>()->getPointeeType();
-
   const ElementRegion *EleReg = 
-                         getStoreManager().GetElementZeroRegion(NewReg, ObjTy);
+    getStoreManager().GetElementZeroRegion(NewReg, ObjTy);
+
+  if (CNE->isArray()) {
+    // FIXME: allocating an array requires simulating the constructors.
+    // For now, just return a symbolicated region.
+    const GRState *state = GetState(Pred);
+    state = state->BindExpr(CNE, loc::MemRegionVal(EleReg));
+    MakeNode(Dst, CNE, Pred, state);
+    return;
+  }
 
   // Evaluate constructor arguments.
   const FunctionProtoType *FnType = NULL;