[analyzer] Getting an lvalue for a reference field still requires a load.

This was causing a crash in our array-to-pointer logic, since the region was clearly not an array. PR13440 / <rdar://problem/11977113> llvm-svn: 161051
2012-07-31 16:34:07 +00:00 · 2012-07-31 16:34:07 +00:00 · e8a21b73ac
parent 7b2f36e96a
commit e8a21b73ac
2 changed files with 45 additions and 3 deletions
--- a/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
@ -1522,10 +1522,17 @@ void ExprEngine::VisitMemberExpr(const MemberExpr *M, ExplodedNode *Pred,

  // For all other cases, compute an lvalue.    
  SVal L = state->getLValue(field, baseExprVal);
-  if (M->isGLValue())
+  if (M->isGLValue()) {
+    if (field->getType()->isReferenceType()) {
+      if (const MemRegion *R = L.getAsRegion())
+        L = state->getSVal(R);
+      else
+        L = UnknownVal();
+    }
+
    Bldr.generateNode(M, Pred, state->BindExpr(M, LCtx, L), false, 0,
                      ProgramPoint::PostLValueKind);
-  else {
+  } else {
    Bldr.takeNodes(Pred);
    evalLoad(Dst, M, M, Pred, state, L);
    Bldr.addNodes(Dst);
--- a/clang/test/Analysis/reference.cpp
+++ b/clang/test/Analysis/reference.cpp
@ -1,4 +1,6 @@
-// RUN: %clang_cc1 -analyze -analyzer-checker=core,experimental.core -analyzer-store=region -analyzer-constraints=range -verify -Wno-null-dereference %s
+// RUN: %clang_cc1 -analyze -analyzer-checker=core,experimental.core,debug.ExprInspection -analyzer-store=region -analyzer-constraints=range -verify -Wno-null-dereference %s
+
+void clang_analyzer_eval(bool);

 typedef typeof(sizeof(int)) size_t;
 void malloc (size_t);
@ -55,3 +57,36 @@ char t6 (char* p) {
  if (*p) return *p;
  return *(char*)0; // no-warning
 }
+
+
+// PR13440 / <rdar://problem/11977113>
+// Test that the array-to-pointer decay works for array references as well.
+// More generally, when we want an lvalue for a reference field, we still need
+// to do one level of load.
+namespace PR13440 {
+  typedef int T[1];
+  struct S {
+    T &x;
+
+    int *m() { return x; }
+  };
+
+  struct S2 {
+    int (&x)[1];
+
+    int *m() { return x; }
+  };
+
+  void test() {
+    int a[1];
+    S s = { a };
+    S2 s2 = { a };
+
+    if (s.x != a) return;
+    if (s2.x != a) return;
+
+    a[0] = 42;
+    clang_analyzer_eval(s.x[0] == 42); // expected-warning{{TRUE}}
+    clang_analyzer_eval(s2.x[0] == 42); // expected-warning{{TRUE}}
+  }
+}