summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArtem Dergachev <artem.dergachev@gmail.com>2019-10-19 01:50:46 +0000
committerArtem Dergachev <artem.dergachev@gmail.com>2019-10-19 01:50:46 +0000
commit9504ebbcec8f25e384f36e4145c0cee135a58d88 (patch)
tree2a26e8e8d1b6fcf3e267ded2eeb719345f952879
parente8e29276b6864a489bf198c8fa29b1d08c176cc7 (diff)
downloadclang-9504ebbcec8f25e384f36e4145c0cee135a58d88.tar.gz
[analyzer] PR43551: Do not dereferce void* in UndefOrNullArgVisitor.
Patch by Kristóf Umann! Differential Revision: https://reviews.llvm.org/D68591 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@375329 91177308-0d34-0410-b5e6-96231b3b80d8
-rw-r--r--lib/StaticAnalyzer/Core/BugReporterVisitors.cpp8
-rw-r--r--test/Analysis/novoidtypecrash.c29
2 files changed, 29 insertions, 8 deletions
diff --git a/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp b/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
index 28382cd64f..7ba93b858b 100644
--- a/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
+++ b/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
@@ -2034,8 +2034,6 @@ bool bugreporter::trackExpressionValue(const ExplodedNode *InputNode,
// Is it a symbolic value?
if (auto L = V.getAs<loc::MemRegionVal>()) {
- report.addVisitor(std::make_unique<UndefOrNullArgVisitor>(L->getRegion()));
-
// FIXME: this is a hack for fixing a later crash when attempting to
// dereference a void* pointer.
// We should not try to dereference pointers at all when we don't care
@@ -2056,10 +2054,14 @@ bool bugreporter::trackExpressionValue(const ExplodedNode *InputNode,
else if (CanDereference)
RVal = LVState->getSVal(L->getRegion());
- if (CanDereference)
+ if (CanDereference) {
+ report.addVisitor(
+ std::make_unique<UndefOrNullArgVisitor>(L->getRegion()));
+
if (auto KV = RVal.getAs<KnownSVal>())
report.addVisitor(std::make_unique<FindLastStoreBRVisitor>(
*KV, L->getRegion(), EnableNullFPSuppression, TKind, SFC));
+ }
const MemRegion *RegionRVal = RVal.getAsRegion();
if (RegionRVal && isa<SymbolicRegion>(RegionRVal)) {
diff --git a/test/Analysis/novoidtypecrash.c b/test/Analysis/novoidtypecrash.c
index c04cfca29b..b19990a279 100644
--- a/test/Analysis/novoidtypecrash.c
+++ b/test/Analysis/novoidtypecrash.c
@@ -1,8 +1,27 @@
// RUN: %clang_analyze_cc1 -analyzer-checker=core %s
+x;
+y(void **z) { // no-crash
+ *z = x;
+ int *w;
+ y(&w);
+ *w;
+}
+
a;
-b(void **c) { // no-crash
- *c = a;
- int *d;
- b(&d);
- *d;
+b(*c) {}
+e(*c) {
+ void *d = f();
+ b(d);
+ *c = d;
+}
+void *g() {
+ e(&a);
+ return a;
+}
+j() {
+ int h;
+ char i = g();
+ if (i)
+ for (; h;)
+ ;
}