From bb81ffb342eaa647854ee0764304942884d8b873 Mon Sep 17 00:00:00 2001
From: Ted Kremenek <kremenek@apple.com>
Date: Wed, 25 Jul 2012 21:58:25 +0000
Subject: [PATCH] Update ExprEngine's handling of ternary operators to find the
 ternary expression value by scanning the path, rather than assuming we have
 visited the '?:' operator as a terminator (which sets a value indicating
 which expression to grab the final ternary expression value from).

llvm-svn: 160760
---
 clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp | 28 +++++++++++++------
 clang/test/Analysis/misc-ps.c                 |  7 +++++
 2 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp b/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp
index 0254b756ee4c..4bcc0fbd100c 100644
--- a/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp
@@ -590,17 +590,27 @@ void ExprEngine::VisitGuardedExpr(const Expr *Ex,
                                   ExplodedNode *Pred,
                                   ExplodedNodeSet &Dst) {
   StmtNodeBuilder B(Pred, Dst, *currentBuilderContext);
-  
   ProgramStateRef state = Pred->getState();
   const LocationContext *LCtx = Pred->getLocationContext();
-  SVal X = state->getSVal(Ex, LCtx);  
-  assert (X.isUndef());  
-  const Expr *SE = (Expr*) cast<UndefinedVal>(X).getData();
-  assert(SE);
-  X = state->getSVal(SE, LCtx);
-  
-  // Make sure that we invalidate the previous binding.
-  B.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, X, true));
+
+  // Assume that the last CFGElement visited is the value of
+  // the guarded expression.
+  ExplodedNode *N = Pred;
+  SVal V;
+  while (N) {
+    ProgramPoint P = N->getLocation();
+    if (const PostStmt *PS = dyn_cast<PostStmt>(&P)) {
+      const Expr *Ex = cast<Expr>(PS->getStmt());
+      V = state->getSVal(Ex, LCtx);
+      break;
+    }
+    assert(N->pred_size() == 1);
+    N = *N->pred_begin();
+  }
+  assert(N);
+
+  // Generate a new node with the binding from the appropriate path.
+  B.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V, true));
 }
 
 void ExprEngine::
diff --git a/clang/test/Analysis/misc-ps.c b/clang/test/Analysis/misc-ps.c
index f81b0ddc68d2..8ff710b12f56 100644
--- a/clang/test/Analysis/misc-ps.c
+++ b/clang/test/Analysis/misc-ps.c
@@ -126,3 +126,10 @@ void rdar10686586() {
     }
 }
 
+// This example tests CFG handling of '||' nested in a ternary expression,
+// and seeing that the analyzer doesn't crash.
+int isctype(char c, unsigned long f)
+{
+  return (c < 1 || c > 10) ? 0 : !!(c & f);
+}
+