Added special handling for UninitializedVals for the transfer function logic

for pointer dereferences. llvm-svn: 47340
2008-02-19 20:53:06 +00:00 · 2008-02-19 20:53:06 +00:00 · 9c08512656
parent 4baef06bbc
commit 9c08512656
2 changed files with 29 additions and 4 deletions
--- a/clang/Analysis/GRExprEngine.cpp
+++ b/clang/Analysis/GRExprEngine.cpp
@ -642,6 +642,17 @@ void GRExprEngine::VisitUnaryOperator(UnaryOperator* U,
        const RValue& V = GetValue(St, U->getSubExpr());        
        const LValue& L1 = cast<LValue>(V);
        
+        if (isa<UninitializedVal>(L1)) {
+          NodeTy* N = Builder->generateNode(U, St, N1);
+          
+          if (N) {
+            N->markAsSink();
+            UninitDeref.insert(N);            
+          }
+          
+          return;
+        }
+        
        // After a dereference, one of two possible situations arise:
        //  (1) A crash, because the pointer was NULL.
        //  (2) The pointer is not NULL, and the dereference works.
@ -776,6 +787,11 @@ void GRExprEngine::VisitBinaryOperator(BinaryOperator* B,
            break;
          }
          
+          if (isa<UninitializedVal>(V2)) {
+            Nodify(Dst, B, N2, SetValue(SetValue(St, B, V2), L1, V2));
+            break;
+          }
+          
          RValue Result = cast<NonLValue>(UnknownVal());
          
          if (Op >= BinaryOperator::AndAssign)
@ -1232,6 +1248,7 @@ struct VISIBILITY_HIDDEN DOTGraphTraits<GRExprEngine::NodeTy*> :
    
    if (GraphPrintCheckerState->isImplicitNullDeref(N) ||
        GraphPrintCheckerState->isExplicitNullDeref(N) ||
+        GraphPrintCheckerState->isUninitDeref(N) ||
        GraphPrintCheckerState->isUninitStore(N) ||
        GraphPrintCheckerState->isUninitControlFlow(N))
      return "color=\"red\",style=\"filled\"";
@ -1268,6 +1285,9 @@ struct VISIBILITY_HIDDEN DOTGraphTraits<GRExprEngine::NodeTy*> :
        else if (GraphPrintCheckerState->isExplicitNullDeref(N)) {
          Out << "\\|Explicit-Null Dereference.\\l";
        }
+        else if (GraphPrintCheckerState->isUninitDeref(N)) {
+          Out << "\\|Dereference of uninitialied value.\\l";
+        }
        else if (GraphPrintCheckerState->isUninitStore(N)) {
          Out << "\\|Store to Uninitialized LValue.";
        }
--- a/clang/include/clang/Analysis/PathSensitive/GRExprEngine.h
+++ b/clang/include/clang/Analysis/PathSensitive/GRExprEngine.h
@ -121,9 +121,10 @@ protected:
  
  /// ImplicitNullDeref - Nodes in the ExplodedGraph that result from
  ///  taking a dereference on a symbolic pointer that may be NULL.
-  typedef llvm::SmallPtrSet<NodeTy*,5> NullDerefTy;
-  NullDerefTy ImplicitNullDeref;
-  NullDerefTy ExplicitNullDeref;
+  typedef llvm::SmallPtrSet<NodeTy*,5> BadDerefTy;
+  BadDerefTy ImplicitNullDeref;
+  BadDerefTy ExplicitNullDeref;
+  BadDerefTy UninitDeref;
  
  bool StateCleaned;
  
@ -187,7 +188,11 @@ public:
    return N->isSink() && ExplicitNullDeref.count(const_cast<NodeTy*>(N)) != 0;
  }
  
-  typedef NullDerefTy::iterator null_iterator;
+  bool isUninitDeref(const NodeTy* N) const {
+    return N->isSink() && UninitDeref.count(const_cast<NodeTy*>(N)) != 0;
+  }
+  
+  typedef BadDerefTy::iterator null_iterator;
  null_iterator null_begin() { return ExplicitNullDeref.begin(); }
  null_iterator null_end() { return ExplicitNullDeref.end(); }