Fix a horrid bug in GRExprEngine::CheckerVisit() that was identified

by the test case in PR 5627.  Essentially we shouldn't clear the
ExplodedNodeSet where we deposit newly constructed nodes if that set
is the 'Dst' set passed in.  It is not okay to clear that set because
it may already contain nodes.

llvm-svn: 90931

1 files changed, 20 insertions, 0 deletions

diff --git a/clang/test/Analysis/misc-ps-eager-assume.m b/clang/test/Analysis/misc-ps-eager-assume.m
index e702cb968a5..0eb1bacee05 100644
--- a/clang/test/Analysis/misc-ps-eager-assume.m
+++ b/clang/test/Analysis/misc-ps-eager-assume.m
@@ -120,3 +120,23 @@ void rdar7342806() {
     // be true when Pointer is not NULL.
     rdar7342806_aux(*Pointer); // no-warning
 }
+
+//===---------------------------------------------------------------------===//
+// PR 5627 - http://llvm.org/bugs/show_bug.cgi?id=5627
+//  This test case depends on using -analyzer-eagerly-assume and
+//  -analyzer-store=region.  The '-analyzer-eagerly-assume' causes the path
+//  to bifurcate when evaluating the function call argument, and a state
+//  caching bug in GRExprEngine::CheckerVisit (and friends) caused the store
+//  to 'p' to not be evaluated along one path, but then an autotransition caused
+//  the path to keep on propagating with 'p' still set to an undefined value.
+//  We would then get a bogus report of returning uninitialized memory.
+//===---------------------------------------------------------------------===//
+
+float *pr5627_f(int y);
+
+float *pr5627_g(int x) {
+  float *p;
+  p = pr5627_f(!x);
+  return p; // no-warning
+}
+