Use the element type to compute the array size when the base region is a VarRegion.

Patch by Jordy Rose. llvm-svn: 100099
2010-04-01 08:20:27 +00:00 · 2010-04-01 08:20:27 +00:00 · 640aad7667
parent 920070cfe7
commit 640aad7667
3 changed files with 31 additions and 4 deletions
--- a/clang/lib/Checker/RegionStore.cpp
+++ b/clang/lib/Checker/RegionStore.cpp
@ -787,9 +787,12 @@ DefinedOrUnknownSVal RegionStoreManager::getSizeInElements(const GRState *state,
        return ValMgr.makeIntVal(CAT->getSize(), false);
      }

-      // Clients can use ordinary variables as if they were arrays.  These
-      // essentially are arrays of size 1.
-      return ValMgr.makeIntVal(1, false);
+      // Clients can reinterpret ordinary variables as arrays, possibly of
+      // another type. The width is rounded down to ensure that an access is
+      // entirely within bounds.
+      CharUnits VarSize = getContext().getTypeSizeInChars(T);
+      CharUnits EleSize = getContext().getTypeSizeInChars(EleTy);
+      return ValMgr.makeIntVal(VarSize / EleSize, false);
    }
  }

--- a/clang/test/Analysis/no-outofbounds.c
+++ b/clang/test/Analysis/no-outofbounds.c
@ -1,6 +1,5 @@
 // RUN: %clang_cc1 -analyzer-check-objc-mem -analyze -analyzer-experimental-internal-checks -analyzer-store=basic -verify %s
 // RUN: %clang_cc1 -analyzer-check-objc-mem -analyze -analyzer-experimental-internal-checks -analyzer-store=region -verify %s
-// XFAIL: *

 //===----------------------------------------------------------------------===//
 // This file tests cases where we should not flag out-of-bounds warnings.
@ -10,4 +9,6 @@ void f() {
  long x = 0;
  char *y = (char*) &x;
  char c = y[0] + y[1] + y[2]; // no-warning
+  short *z = (short*) &x;
+  short s = z[0] + z[1]; // no-warning
 }
--- a/clang/test/Analysis/outofbound.c
+++ b/clang/test/Analysis/outofbound.c
@ -13,3 +13,26 @@ void f2() {
  int *p = malloc(12);
  p[3] = 4; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
 }
+
+struct three_words {
+  int c[3];
+};
+
+struct seven_words {
+  int c[7];
+};
+
+void f3() {
+  struct three_words a, *p;
+  p = &a;
+  p[0] = a; // no-warning
+  p[1] = a; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
+}
+
+void f4() {
+  struct seven_words c;
+  struct three_words a, *p = (struct three_words *)&c;
+  p[0] = a; // no-warning
+  p[1] = a; // no-warning
+  p[2] = a; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
+}