From ede0983f8858b4acf1978e2d650603a471f3bfc3 Mon Sep 17 00:00:00 2001 From: Anna Zaks Date: Wed, 3 Apr 2013 19:28:12 +0000 Subject: [analyzer] Properly handle the ternary operator in trackNullOrUndefValue MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1) Look for the node where the condition expression is live when checking if it is constrained to true or false. 2) Fix a bug in ProgramState::isNull, which was masking the problem. When the expression is not a symbol (,which is the case when it is Unknown) return unconstrained value, instead of value constrained to “false”! (Thankfully other callers of isNull have not been effected by the bug.) llvm-svn: 178684 --- .../StaticAnalyzer/Core/BugReporterVisitors.cpp | 27 ++++++++++++++-------- clang/lib/StaticAnalyzer/Core/ProgramState.cpp | 6 ++++- 2 files changed, 22 insertions(+), 11 deletions(-) (limited to 'clang/lib/StaticAnalyzer') diff --git a/clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp b/clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp index 5f364304e8d..7f71b8e81ed 100644 --- a/clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp +++ b/clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp @@ -800,14 +800,22 @@ static const Expr *peelOffOuterExpr(const Stmt *S, // Peel off the ternary operator. if (const ConditionalOperator *CO = dyn_cast(Ex)) { - ProgramStateRef State = N->getState(); - SVal CondVal = State->getSVal(CO->getCond(), N->getLocationContext()); - if (State->isNull(CondVal).isConstrainedTrue()) { - return CO->getTrueExpr(); - } else { - assert(State->isNull(CondVal).isConstrainedFalse()); - return CO->getFalseExpr(); - } + const Expr *CondEx = CO->getCond(); + + // Find a node where the value of the condition is known. + do { + ProgramStateRef State = N->getState(); + SVal CondVal = State->getSVal(CondEx, N->getLocationContext()); + ConditionTruthVal CondEvaluated = State->isNull(CondVal); + if (CondEvaluated.isConstrained()) { + if (CondEvaluated.isConstrainedTrue()) + return CO->getFalseExpr(); + else + return CO->getTrueExpr(); + } + N = N->getFirstPred(); + } while (N); + } } return 0; @@ -820,9 +828,8 @@ bool bugreporter::trackNullOrUndefValue(const ExplodedNode *N, if (!S || !N) return false; - if (const Expr *Ex = peelOffOuterExpr(S, N)) { + if (const Expr *Ex = peelOffOuterExpr(S, N)) S = Ex; - } const Expr *Inner = 0; if (const Expr *Ex = dyn_cast(S)) { diff --git a/clang/lib/StaticAnalyzer/Core/ProgramState.cpp b/clang/lib/StaticAnalyzer/Core/ProgramState.cpp index f3e80f19c92..bff2242925e 100644 --- a/clang/lib/StaticAnalyzer/Core/ProgramState.cpp +++ b/clang/lib/StaticAnalyzer/Core/ProgramState.cpp @@ -380,9 +380,13 @@ ConditionTruthVal ProgramState::isNull(SVal V) const { if (V.isZeroConstant()) return true; + if (V.isConstant()) + return false; + SymbolRef Sym = V.getAsSymbol(); if (!Sym) - return false; + return ConditionTruthVal(); + return getStateManager().ConstraintMgr->isNull(this, Sym); } -- cgit v1.2.3