From 1baf407fbcaaccc33a6c30de9b2b39d258b919c5 Mon Sep 17 00:00:00 2001
From: Ted Kremenek <kremenek@apple.com>
Date: Sat, 17 Oct 2009 07:39:35 +0000
Subject: Fix another static analyzer crash due to a corner case in "folding"
 symbolic values that are constrained to be a constant.

llvm-svn: 84320
---
 clang/lib/Analysis/SimpleSValuator.cpp | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

(limited to 'clang/lib/Analysis/SimpleSValuator.cpp')

diff --git a/clang/lib/Analysis/SimpleSValuator.cpp b/clang/lib/Analysis/SimpleSValuator.cpp
index 5af4c062e08..4487aa9d302 100644
--- a/clang/lib/Analysis/SimpleSValuator.cpp
+++ b/clang/lib/Analysis/SimpleSValuator.cpp
@@ -346,24 +346,29 @@ SVal SimpleSValuator::EvalBinOpNN(const GRState *state,
       nonloc::SymbolVal *slhs = cast<nonloc::SymbolVal>(&lhs);
       SymbolRef Sym = slhs->getSymbol();
       
-      // Does the symbol simplify to a constant?
+      // Does the symbol simplify to a constant?  If so, "fold" the constant
+      // by setting 'lhs' to a ConcreteInt and try again.
       if (Sym->getType(ValMgr.getContext())->isIntegerType())
         if (const llvm::APSInt *Constant = state->getSymVal(Sym)) {
-          // For shifts, there is no need to perform any conversions
-          // of the constant.
-          if (BinaryOperator::isShiftOp(op)) {
-            lhs = nonloc::ConcreteInt(*Constant);
+          // The symbol evaluates to a constant. If necessary, promote the
+          // folded constant (LHS) to the result type.
+          BasicValueFactory &BVF = ValMgr.getBasicValueFactory();
+          const llvm::APSInt &lhs_I = BVF.Convert(resultTy, *Constant);
+          lhs = nonloc::ConcreteInt(lhs_I);
+          
+          // Also promote the RHS (if necessary).
+
+          // For shifts, it necessary promote the RHS to the result type.
+          if (BinaryOperator::isShiftOp(op))
             continue;
-          }
           
-          // Other cases: do an implicit conversion.  This shouldn't be
+          // Other operators: do an implicit conversion.  This shouldn't be
           // necessary once we support truncation/extension of symbolic values.
           if (nonloc::ConcreteInt *rhs_I = dyn_cast<nonloc::ConcreteInt>(&rhs)){
-            BasicValueFactory &BVF = ValMgr.getBasicValueFactory();
-            lhs = nonloc::ConcreteInt(BVF.Convert(rhs_I->getValue(),
-                                                  *Constant));
-            continue;
+            rhs = nonloc::ConcreteInt(BVF.Convert(resultTy, rhs_I->getValue()));
           }
+          
+          continue;
         }
       
       if (isa<nonloc::ConcreteInt>(rhs)) {
-- 
cgit v1.2.3