[analyzer] Track indices of arrays

Often times, when an ArraySubscriptExpr was reported as null or
undefined, the bug report was difficult to understand, because the
analyzer explained why arr[i] has that value, but didn't realize that in
fact i's value is very important as well. This patch fixes this by
tracking the indices of arrays.

Differential Revision: https://reviews.llvm.org/D63080

llvm-svn: 363510

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

@@ -1740,6 +1740,10 @@ bool bugreporter::trackExpressionValue(const ExplodedNode *InputNode,
   if (const Expr *Receiver = NilReceiverBRVisitor::getNilReceiver(Inner, LVNode))
     trackExpressionValue(LVNode, Receiver, report, EnableNullFPSuppression);
 
+  if (const auto *Arr = dyn_cast<ArraySubscriptExpr>(Inner))
+    trackExpressionValue(
+        LVNode, Arr->getIdx(), report, EnableNullFPSuppression);
+
   // See if the expression we're interested refers to a variable.
   // If so, we can track both its contents and constraints on its value.
   if (ExplodedGraph::isInterestingLValueExpr(Inner)) {

clang/test/Analysis/diagnostics/track_subexpressions.cpp

@@ -17,3 +17,28 @@ void shift_by_undefined_value() {
   (void)(TCP_MAXWIN << shift_amount); // expected-warning{{The result of the left shift is undefined due to shifting by '255', which is greater or equal to the width of type 'int'}}
                                       // expected-note@-1{{The result of the left shift is undefined due to shifting by '255', which is greater or equal to the width of type 'int'}}
 }
+
+namespace array_index_tracking {
+void consume(int);
+
+int getIndex(int x) {
+  int a;
+  if (x > 0)
+    a = 3;
+  else
+    a = 2;
+  return a;
+}
+
+int getInt();
+
+void testArrayIndexTracking() {
+  int arr[10];
+
+  for (int i = 0; i < 3; ++i)
+    arr[i] = 0;
+  int x = getInt();
+  int n = getIndex(x);
+  consume(arr[n]);
+}
+} // end of namespace array_index_tracking